Unfortunately it does not fail completely safely. The change transaction seems to still be available for coin selection and causes sends to fail. The getbalance command shows an incorrect balance due to counting the change address twice - once in the double spend and once in the accepted. The accounts system also has balances messed up which some merchant sites rely on.

It is not "lose money" exploitable (unless combined with social engineering) but is definitely "lose time, lose effort" exploitable.