I have not studied CGI.pm in great enough depth to evaluate your crticisms, though they seem legitimate. However, what I have seen a lot of in my time here (including two years lurking before signing up) is a long stream of Monks who were unaware of CGI.pm or thought they didn't need it, and instead believed incorrectly that they could parse query strings, interpret application/x-www-form-urlencoded and multipart/form-data POST submissions, and parse or create cookies on their own using only regexes and Perl's builtin operators. These things can be done, but doing them right is harder than these people realized. There are a few problems with this:

1. As a general matter, application developers should not have to worry about the implementation details of the protocols and calling conventions they use. This is what APIs are for.
2. Failing to properly treat these kinds of inputs can likely lead to security problems.
3. All developers should learn the habit of looking whether the problem they're trying to solve has been solved before in a way that they can reuse. People who try to read web forms or cookies by hand are likely not to be following this rule in other regards as well. This is Laziness in the good sense.

So if the issue is that people are using the wrong module, you may be right. But the bigger issue is people who are unaware of/refuse to use the excellent modules at their disposal.