Agreed. But I'd rather advise webmasters to get rid of the vulnerable script altogether if they can, especially if it is a complex third party script where they might have a hard time figuring out which query strings are safe and which are unsafe.
If they try to block all query strings because they can't distinguish the safe from the unsafe, there is no guarantee that the script will continue to work as intended or that webmasters will notice the breakage right away.
And if the script stops working as intended, couldn't it potentially have opened up other holes as well? - afterall, we agreed that the code was badly written to begin with, so breaking it in any way must be considered risky business. I can give a hypothetical example of this if you want.