I'm surprised this wasn't covered in the blog or FAQ. Seems like an important detail that security-minded customers would care about.
And somehow makes it even more magical than when you read the docs.
Except the UX is sexier.
The issue is so wide spread because usually /bin/sh links to /bin/bash...
I don't know if Debian and Ubuntu are the only *nixes using Dash instead of Bash.