The problem - and a solution
The issue has nothing to do with the browser. I've tested on ICS with Chrome, default browser and Dolphin - all behave the same way.
Test here: dylanreeve DOT com/phone.php (uses IMEI display USSD - it's totally safe).
The issue is with the stock dialer. If you can prevent that dialer from handling the tel: URL then you can either prevent or at least intervene in attack attempts. So the solution is... Install another dialer (probably any other dialer).
dylanreeve.posterous DOT com/remote-ussd-attack
(I can't post URLs yet)