I believe you're referring to seteuid(2) instead. The syscall you mentioned, setuid(2), makes a permanent change, because it sets the real and effective user IDs, and the saved set-user-ID.
Using seteuid(2) won't help. If the code can switch back to the saved set-user-ID and it gets exploited, it's rooted. No security added here.
If ping needed to open the raw socket only once, it could drop privileges permanently. But as we know ping needs to open sockets continuously.
> Now, I'm pretty sure that things are not actually that simple in the
>ping source code, but still I fail to see what advantage this complicated
>capabilities mechanism could have over careful code examination, and
>applying proved techniques as this one I tried to describe above.
Even if you do "careful code examination" when writing programs, that's not a replacement for good a security design. You'd still need other layers to protect from subtle issues.
One of the mantras of writing secure software is giving the least privilege necessary. That's what capabilities is about - though I confess I had never heard about them.