Taint mode does not trap tainted data being included as part of the format string passed to (s)printf -- i.e. the following does not die with a taint error

And it shouldn't. Tainting prevents you from using tainted data to (potentially) modify the environment. You can't open a file for writing if the filename is tainted. But you can print tainted data. Or open a file whose name is tainted. Tainting will not prevent your program from consuming huge quantities of memory or CPU time - or from printing out very long strings.