I think you mean you agree with me, no? Unless you're really arguing that simply using a CPAN library renders your application secure to all attackers? I think you're arguing against the converse of what I stated, not my actual point.