A couple small problems with the paper:

• He does mention CGI.pm, but then proceeds to ignore it and continually try stuff like @pair = split(/&/, $ENV{'QUERY_STRING'}); throughout the paper.
• It's too long and not very well formatted. I mostly just read the code, the target audience definately won't read through the whole thing. Presentation is very important for these type of papers.
• He should have had a big sign at the start saying "Don't trust user input" because that's basically what all the problems result from.

On the plus side, it was fairly in-depth (could have been broken down into separate parts though) and it's always good to see coverage of cross-site scripting and other commonly ignored security issues.

Update: In question 12 ("I heard "homemade" CGI scripts are more vulnerable to being hacked than distributed") he could have mentioned NMS scripts as a quality alternative. For bonus points he could start a flamewar and say "but crackers have access to their source code" ;).