I just don't understand why SOAP is treated so specially. SOAP have not added anything really new. You can roll your own RPC implementations using HTTP and CGIs, SMTP and scripts in /etc/aliases, etc. SOAP can be more convinient in some cases because it is standart and is supported in many languages. And developer who doesn't understand security implications of networking applications can open security holes both in CGI and in SOAP server.
I tend to agree that with SOAP::Lite it is too easy to make mistakes. But it is just fault of SOAP::Lite but not fault of SOAP protocol itself. Adding requirement to specify list of methods which can be remotly called could solve this problem.