it's much the same as saying that DBI is vulnerable by design because putting user-supplied strings into a do() or prepare() call could result in SQL injection
Well, yes and no: I'm saying that yes, it's a security issue like code injection, both in that it should be seriously considered and warned about, but also in that if you are aware of the issues and know what you are doing and can use it safely, then fine. But no, it's not exactly like DBI's API, because apparently Module::Load chose to overload its load function to be able to load both modules and files, which could have been designed differently to avoid this issue.
nobody in their right mind would write code which passed unvalidated user-supplied data to such methods
Well I've seen it done one too many times, and so this statement could also be read with a sarcastic meaning ;-)