I really don't want to put words in Abigail-II's mouth, so I'll add my own. ;) I think that the point is that an ISP who allows its users to install CGI scripts from any source (including self-developed / written) without first reviewing the script is exposing themselves (and their clients) to security risks.

Reviewing would be nice, but costly, and I don't think many people want to pay for it. The alternative is to put any site that wants to install their own CGI programs on either a dedicated box (which will cost more than $10/month of course), or you're put on a box with only sites that put their own CGI programs on box, and are told about the risks the others can do to you. Such boxes should have their bandwidth limited by a router (to prevent other hosts from becoming unreachable). SMTP traffic will only be allowed to at most a few other boxes (local to the ISP), in order to limit the number of outgoing messages per time unit.

It won't prevent the box being used as a relay, but it will prevent it from becoming a big problem.

Abigail