Huh. That is odd. I had originally thought that the security settings for stripping HTML tags and attributes was the culprit, but when I disabled all those, I saw the same results you do with the lang attribute being stripped out. But, just manually editing the metadata to use HTML with the lang attribute worked just fine.
So, worst case is that your approach works, just not with the CSVImport plugin.
I suspect that the plugin is somewhere applying overly-cautious checks similar to the core security settings and/or not properly using those settings, so I’m filing this as a bug in the plugin.