(and if not, does it actually improve client side security?)
I'm thinking of the case where a script from server X uses XHR to obtain and run untrusted code from server Y (which supports CORS).
(obviously evaluating untrusted code is bad™)
I do not use CORS to improve security at all. I use CORS to access a known webservice on a different domain which I would not be allowed to access without CORS. Nothing to do with improving security in my opinion, but to allow data from one domain to be entrusted to another.