I thought one of the really important rules of using format strings was that you never let user input itself enter the format string, e.g. you'd never (shellscript examples) go printf "$input" versus printf "%s" "$input". But security experts are shrugging this off? This is a basic bug that went into production on an OS that millions of people use - any lack of care should be a reputation hit.