It could be considered sloppy to have executable bits on on non-executable modeles, but some modules actually DO contain commands (to be run when you do "./Module.pm") and ofcourse, it's always possible to do perl ModuleName.pm and run the code anyway.

I don't really see the security issue. If you run ModuleName.pm you usually run the same code you run when you require ModuleName;, and if not, it's probably for a reason. People can hide code anywere anyway (especially with CPAN modules on make install).