And what is to stop someone from sticking "interesting stuff" into the upname parameter, causing them to get into things that they shouldn't?

Read up on the poison null byte attack and note that someone who knew how could readily start reading your /etc/passwd file, from which they could run crack to start figuring out how to break into your server...

Yes, I know that you probably didn't know about this. But the people who come looking around to see if they can root your machine sure do, which is why it is important to point it out to you.