Firstly, always reduce your code to the 'minimal' case - that means, get rid of anything else that isn't needed to demonstrate the problem. I reduced your code to:

#!/usr/bin/perl -Tw
use strict;
use CGI qw(:standard *table );
use CGI::Carp qw(fatalsToBrowser);

my $docroot = "/home/httpd/sec-html/";

sub is_tainted { return ! eval { join('',@_), kill 0; 1; }; }

print header();
$ENV{SCRIPT_FILENAME} =~ /\/home\/httpd\/sec\-html\/(.*?)\//;
#$ENV{SCRIPT_FILENAME} =~ /${docroot}(.*?)\//;
my $realm = $1;
if (is_tainted($realm)) { 
    print "realm: $realm is tainted in main0!<P>"; 
} else {
    print "realm: $realm is not tainted in main0<P>";
}
[download]

... which is a lot simpler. Also, $realm is untainted (according to this code) in either case, so I'm not sure why it doesn't work for you.

Check the things you include - perhaps they have a faulty version of is_tainted () (I took this implementation from the perlsec man page :), which is giving you false values?