Omitting system binary path is a type of "security through obscurity". In most cases, this method of security is not hard to defeat. Not including sbin dir will not make a system more secure. When a normal user wants to execute a file within that directory, if he has permission, all he has to do is to add prefix /sbin to the execute file name. I believe it is never a good idea to secure a system though obscurity. In this case, let the permission handle the authorisation. If you do not want a normal user execute a system binary file, chmod it properly.
*** Bug 467610 has been marked as a duplicate of this bug. ***
It's not a question of security. The thing is most utilities in /sbin and /usr/sbin require root privileges because they access or modify stuff that can only be accessed or modified by root, so why would you want to run them? Why should bash bother looking for commands in these directories? Anyway, there are utilities there that can partially work for normal users as well, and as a matter of coincidence, the plan is to add these directories to $PATH of normal users in Fedora 10 - http://fedoraproject.org/wiki/Features/SbinSanity . Not sure this is something to do in RHEL 5, though.
And to be precise, bash only reads PATH env, but not set it.
Closing DEFERRED, that's not something what should be changed in RHEL-5 - change in behaviour - but as it is already added in Fedora(after sbin sanity check - to F10), I guess it would be added in RHEL-6.