The security concern is that if a bash is launched with a malicious environment variable set, that bash will execute the code in the variable.
For example, lets say you have a web server that calls /bin/foo bar. Lets say this foo application also uses an environment variable called baz, and the value of this variable comes from input provided by the user. So the web server application sets the environment, and then shells out to foo bar. Well, when bash reads the environment variables, if that provided variable has malicious code, bash is going to run it.
Normally this is not a concern. Environment variables are supposed to be completely safe. If the application using that variable misbehaves, that is another matter. But bash does not use the baz variable in the situation above.
For example:
testscript.sh
export BAZ='() { :;}; echo MALICIOUS CODE'
echo starting sleep
/bin/bash -c 'sleep 1'
When running it, we get the following
$ /bin/dash testscript.sh
starting sleep
MALICIOUS CODE
So simply from having that variable set, we can get bash to run arbitrary code.
Here's another example that uses no explicit shell, and makes no mention of bash:
$ perl -e '$ENV{"BAZ"}="() { :;}; echo MALICIOUS CODE"; print("starting sleep\n"); system("/bin/sleep 1;");'
starting sleep
MALICIOUS CODE
(for this to work, /bin/sh needs to be bash)