The Core

Main problem I see with this is that someone can get pages like example.com/example-dot-com-are-thieves appearing in ther SERPs.  More worrying is when devs take the URL string content and put it on page.

Irish Wonder is the expert on this stuff.  She can probably list another 20 ways to abuse this!

It should only be a security hole if it is being fed in as an unsantiized SQL query, which I've seen, but that's more and more rare

For example, many CMS (Wordpress, Drupal, etc), handle URLs by rewriting as a query string and passing that to the SQL server.

But that would be a problem whether the page renders or not. In other words, the phenomenon you're seeing might be an indicator that the developer isn't thinking through these issues clearly, but the lack of this issue doesn't indicate your safe and it's presence doesn't indicate an exploit per se.

But devs do all sorts of stupid things. I recently was trying to implement cross-domain tracking between a main site and a third-party site and the third-party site crashes your browser if you had a query string of any sort to the URL. It would be as simple as the dev testing example.com/page?test=anything and it goes into an infinite loop that crashes every browser I've tried - none fail gracefully.