Sadly, there's cases where exec() is impossible to avoid - for example, every kind of tool that doesn't have a proper library and language bindings. See git and the grit library for an example.
True, but there is a lot of software out there where people don't do that. Might be interesting to find vulnerabilities that are slightly less obvious.
It should be easily doable to write a tool that finds an exec() of a variable that was assigned a $GET etc