Many years ago, when beginning with Perl programming and learning about CGI, there was a guiding principle: "Trust the user, but not the data." (Some also shorten it to "Don't trust the user", but this sounds a bit too hard in my ears.)
Today, security is much more important than back in the 90's - more computers, more hackers, to break a complex subject down to something very simple.
So, ANY move to improve the security of web applications is a good thing and should be done. Securing sessions is just one step.
In the past, I have experienced some website hacks, but none of them with WB. (But, of course, I don't have hundreds of WB installations like other guys.) AFAIK none was caused by session forgery. Anyway, I still think there are many security leaks concerning sessions in WB - also found them in the code of WB 2.9. But, securing the session itself is just one step - you will also have to check the session data. This step is missing very often. (Also for form data.)
Perl has a feature called "taint mode". If you add the -T flag to the shebang, it will no longer allow to use data that came from "outside" without checking it. For example, it won't allow something like this:
my $arg=shift; # get parameter from command line
system($arg); # and execute it as a system command
(See here for more details http://www.webreference.com/programming/perl/taint/
But, to get back to your question: Yes, I think session security should be added to the core, but I would go much further than just encrypt the session data.