Apple provided the following statement to Jim Dalrymple regarding the recently discovered Bash vulnerability:

With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.

I would assume that the percentage of OS X users that actually use advanced UNIX services is miniscule.