Your facts are right, but the reasoning is wrong. Many Unices (including Linux) have kernel bugs that create a race condition when executing setuid scripts. These bugs allow you to start a setuid script, then quickly remove it and replace it with something else before the kernel executes it, resulting in a user being able to run anything they want on the system as whoever the script is setuid to. See Question 11 in:

http://csrc.ncsl.nist.gov/publications/secpubs/faq-sec.txt