Searching for modules in the current directory is insecure, because you never know what the current directory is. It's not the directory where the script is, it's the directory where you are when you run the script. The current directory might be world writable (think /tmp), so anyone can insert a malicious module. Some scripts work without a module, but they try to load it (e.g. for better performance); on a system without the module installed, the malicious module would be picked up.

See rt#127834 for details.