Anthony Ferrara discovered a significant security vulnerability and an even more fundamental security flaw in WordPress.
The correct fix is to ditch this whole prepare mechanism (which returns a string SQL query). Do what basically everyone else does and return a statement/query object or execute the query directly. That way you can’t double-prepare a string.
It’s worth saying that this would be a major breaking change for WP. One that many other platforms have done successfully (PHPBB did this exact thing, and went from having massive SQL Injection vulnerabilities to almost none).
WordPress has made great strides in modernizing and hardening core. I really had no idea WPDB was still in the dark ages! For shame!