I don't think that '.' in @INC is a security risk in the same way as '.' in $ENV{PATH} would be.

With PATH there is a risk of root cd'ing into a directory and running a trojaned ls compromising the system. An attacker might have write access to their home directory, which would be expected (under the assumption that the attacker is an authorised user)

With @INC if the attacker can write a trojaned CGI.pm then they would have write access to the directory, and the could just as easily unlink the script it self and replace it with a trojaned version.

Correct me if I'm missing something.