Ok I tested saving the Query String Exploits code on my site and it saved fine so it is not an issue with WP 4.0.1. Just wanted to eliminate that as a possible cause.
Ok so what is happening is that when you try to save the actual Query String Exploits code it is being seen as a threat by something else that you have installed either on your website or on your server. Most likely the BPS Query String Exploits code is being blocked by a mod_security SecRule/SecFilter.
You can try to turn off mod_security for testing, but if your host server does not allow doing that then this code will have no effect/will be ignored.
http://forum.ait-pro.com/forums/topic/how-to-turn-off-mod-security-mod_security-secfilterengine-off/
Add this code in this Custom Code text box: CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE
Click the Save Root Custom Code button.
Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root folder BulletProof Mode.
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>Next try and add and save the Query String Exploits code in the CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS text box and click the Save Root Custom Code button.