I'm not sure I catch your drift. It seems like the point is that it doesn't actually implement the SSH protocol- it just exploits the fact that a real SSH server is perfectly within its rights to send any data it wants to before a version string. (And on top of that, it looks like it doesn't even read anything from the socket?)

Is there something I'm missing here (probably related to poll(2)) that could cause this to be insecure?