It's because you (very sensibly) don't have . in your PATH environment variable. If you do, it becomes an attack vector for people to get you to execute their own code instead of real stuff.
For example, let's say your path is:
.:/usr/bin
so that commands will first be searched for in your current directory, then in /usr/bin.
Then another user creates an executable script file ls in their home directory which changes to your home directory and deletes all your files. Then they tell you they've got something interesting in their home directory. You run ls to see what they have, and your files are deleted. All because it ran ls from your current directory first.
This is a particular favorite attack vector against naive system admins.
To be honest, on my home machines, I don't worry too much, since I'm the only user and I'm not prone to downloading stuff I don't trust. So I usually add . to my path for convenience, but usually at the end so it doesn't get in the way of my more regular commands.
