The problem isn't CUPS itself, which is not made to listen on all interfaces by default. The problem is the printer discovery service, cups-browsed, which listens for any printer on the LAN (or any attacker anywhere) that advertises itself to it and automatically registers that printer in your system.
Whether it's a good idea to have a service like this is highly debatable, but if it is added, it has to listen to all requests from anywhere (and the firewall port for it has to be open), otherwise it's entirely useless.
