This is a tricky issue with CreateProcess when the quoting is not done correctly it will use some heuristics to figure out which part of the argument is the program name.
You can reproduce it by placing a file as c:\program.exe (which requires administrative privileges on default windows systems). Than that will be executed.
I don't think this is a security issue as an execution prevention policy that blocks CreateProcess of unsigned files etc. will block this and even on "unhardened" systems creating c:\program.exe requires higher privileges then just to execute such a process. Still when gpg4win is installed in a non standard path or on a shared drive this could be problematic.
It is definitely a bug regardless of the impact.