This isn't really a 'vulnerability' at all, and it's not related to WHMCS. The same can be said about any application using php. vBulletin, modernbill, etc. All you have to do to any of these is upload a shell script and do the same thing.
Yeah, it's a bit of a risk to allow this stuff, I fully agree, but, disabling php functions is going to cause more problems with websites as well. Security is never about one solution (disabling functions, securing tmp, etc), but about multiple resolutions and handling issues on a per-script basis, not limiting usage like this.
For example, in this case, you should follow proper security procedures, and not allow uploads to public_html, but put your attachments and uploads outside the html directory.
WHMCS Guru - WHMCS addons, management, support and more. WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
Linux Problems? WHMCS Issues? +1-866-546-8914 (linux-14) or @whmcsguru on twitter!