System() creates child processes, specified by parameters. If you don't sanitize your parameters, any child process could be created. If you run this software as root, that means root will run the command. If you run this as user, it's safer than root, but not actually safe.
1) The user isn't always the one providing user input.
2) When the user does provide input, the user isn't always smart.
3) Users do things that you never would have conceived.
Unsanitized system() calls are even worse than leaving your system wide open to a sql inection attack.
All of the above apply to bash, but it still happily creates processes from user supplied input. As previously mentioned, not all software is run on a remote-access system for strangers on the internet.
1) The user isn't always the one providing user input.
2) When the user does provide input, the user isn't always smart.
3) Users do things that you never would have conceived.
Unsanitized system() calls are even worse than leaving your system wide open to a sql inection attack.