I think they consider Perl core to be well enough tested and reviewed by its widespread usage. The security team follow CVE closely and if any significant new vulnerability is found patching it is highest priority work (For all software we use). Other random modules from CPAN are an unknown and would need to be reviewed in depth. I realise I am more likely to introduce a novel bug re-creating wheels, but it has the advantage of not being deployed outside this organisation, so less likely to be found and exploited. Another site I have worked even removed most of the core modules. If you wanted one you needed a good reason and a review before it could be used. This sort of approach is common in banks (at least in Europe) with regular audits and a high chance you get your marching orders if you use any non-approved software. Any novel software does get a lengthy review including penetration testing, design reviews etc... Its possible but for something small like this quicker to write a new solution in house.

Cheers,
R.