Exactly, FreeBSD uses the simplest solution for the task, in the name of security. FreeBSD isn't "secure from Heartbleed because they don't use Bash" but rather, FreeBSD is "secure because by default only the most basic, necessary software is installed" which happened to be sh instead of bash.