I have wondered the same thing myself.
In a prior life when I was developing life/safety embedded systems in C there were several very attractive 3rd party C Libraries that would have saved a lot of time and effort. However, I could not justify the risk of using these packages. Yes, the C compiler also came from an outside vendor, but at least it was from a large company with deep pockets in case the lawyers ever got involved.
Maybe the CPAN modules you(all) use aren't life/safety related, but CEOs these days can be held criminally liable for failures in information systems(hacking/idenity theft/etc) and most can't evaluate their risk. At least a large user base should shake out problems quicker.
What say you?