Why does the 'bin' user need a login shell?
A user who has a valid shell and no password can still log in by non-password-based methods, the most common being an ssh key. A valid shell is necessary to run cron jobs. A valid shell is also necessary for su bin -c 'wibble' to work (on Linux at least, su bin -s /bin/sh -c 'wibble' will also work).
In the case of bin, most systems never run a command as bin in normal operation, so setting the shell to /bin/false would be ok.
There is no risk of any direct attack allowing bin to log in over SSH, because that would require creating /bin/.ssh/authorized_keys as the user bin or as root. In other words, the only way to get in is to be in. However, having a valid shell does increase the risk of misconfiguration. It can also permit some remote attacks with services other than SSH; for example a user reports that an attacker could set a password for daemon remotely via Samba, then use that password to log in over SSH.
You can plug the SSH hole by listing the names of the system users in a DenyUsers directive in /etc/ssh/sshd_config (unfortunately, you can't use a numerical range). Or, conversely, you can put an AllowGroups directive and only allow the groups that contain physical users (e.g. users if you grant all your physical users that group membership).
There are bugs filed over this issue in Debian (#274229, #330882, #581899), currently open and classified as “wishlist”. I tend to agree that these are bugs and system users should have /bin/false as their shell unless it appears necessary to do otherwise.
You don't have to worry about those as users. They are "users" in the sense of security groups, not users in the sense of "login and use" people. If you look in "/etc/shadow", you will see that all these "users" do not have passwords (either "x" or "!" instead of a long salted hash). This means that these users cannot login, no matter what.
That said, I don't know if it is a good idea to change "/bin/sh" to "/bin/false" for all these users. Because programs run under these groups, it might not allow them to execute the commands that they need to. I'd leave them as "/bin/sh".
There is no need for you to worry about these users. Only worry about the users you create (and ones with hashes in "/etc/shadow")