Because something as seemingly safe as use strict can load strict.pm from the current working directory, which might be somewhere globally writable like "/tmp/".
There was apparently a real-world way of exploiting this to do nasty stuff, but the Perl development team haven't yet publicly disclosed what it is. I imagine it's an exploit in some commonly used Perl web app like cPanel or Webmin. They do plan on releasing the info eventually, once they've decided people have had enough time to move to newer Perl versions which don't have "." in @INC by default.