No, gostcoder, this is a very big deal. The problem is that you can also invoke shell commands. Most X users stay out of the shell and this is a bad thing. So when the 'sploit is run with the shell command:
/bin/rm -Rf *
Most users won't understand when a term window comes up, and in their name removes, recursively, all their stuff, wtf happened.
The help:// uri can be masked by long URLs, hex coding, and other mischief.
We should all take this seriously. And Apple SHOULD move their collective *sses.