CA does not sign a message (like CSR) received from the certificate applicant. CA signs a data set that it creates itself. Simply put, this data set contains a public key sent by the applicant and some fields that CA sets. Some of these fields will be copied from the CSR, the others do not depend on CSR.
If the requested validity is relatively long, e.g. 1000 years, this increases the probability that the certificate will be compromised. That's why, for the most purposes, it cannot be arbitrary long. E.g. for DV certificates the validity period cannot be longer than 397 days, or about 13 months.
It is up to CA how to deal with request that contains no validity period. E.g. CA can reject it or apply some defaults. But in any case, if certificate is issued, it will contain valid (non empty) validity period.
Am I correct to say that the CA could be duped into signing a message containing malicious code ... ?
CA does not sign any code. CA signs public key of the requester and some fields. Before issuing certificate, CA validates the fields that identify the requester. E.g., for S/MIME certificate, CA will verify if you are really the owner of particular email. Or for DV certificate, CA will verify if you are really the owner of the requested domain.
And, if lifetime info is not included, can an attacker create certificates with longer lifetime than intended?
Can the attacker issue a certificate in the name of any well known trusted CA? No. The attacker would need a private key of this CA. Private keys are kept secure, normally using some hardware.
Can the attacker change the validity period of certificate? No. Because changing of any certificate field will make the CA signature invalid and the certificate will not be trusted.