The scary thing about CGI for me is more the shell insanity than the forking. Although I think after the shell shock RCE most servers probably switched to directly execing the CGI process.
Indeed. There is no reason why CGI would need shells or scripting languages though, you can just write them in any programming language. It's not that hard; I wrote this pastebin clone in C: https://github.com/gsliepen/cbin/
It's not an issue with the actual CGI program. It's hard to make exec alone work the way people expect without doing something like exec('sh', '-c',...) so a lot of servers were doing that.
I think they were already doing that. I'd be very surprised if Apache's mod_cgi in 01997 had been spinning up a whole bash process to spawn off the CGI script as a subprocess! Certainly I haven't seen the passels of useless bash processes in ps that you would get with that approach.
