It’s not an EVM exploit, exactly, but it is a way to maybe make auditors’ jobs more difficult. There are ways around each of these “social attacks”, but most of them require education. That will surely lag behind the Constantinople upgrade itself.
Right, if you prevent CREATE2 redeploys, then you prevent CREATE redeploys, as far as I can tell.