I've been wondering if there is any logic to my "no CPAN" requirements that I have been putting up for 13 years on PerlMonks.
If you don't know why you can't use CPAN, then yes, there is no logic to it. If you have a specific reason then that might be logical - even if that specific reason is 'the boss says so'.
As for malware - I have a mini-cpan repository that gets scanned by the local anti-virus on a regular schedule. There are a couple of known viruses in it - but upon examination they are in test suites, so that modules can prove they work correctly when dealing with them. (For instance, there is one in Spamassassin's test suite, which from the comments Spamassassin broke on once.) Other than that, nothing gets found.