Most security audits will fail the versions of Apache and php packages available for OpenVMS, among other common tools. (I've worked with auditors that have flagged and failed far newer versions than what are available with VMS.)
The web server should not own and should have extremely limited write access to any device and directory and file resources. The default should be no write access, and no control access, and often a top-level ACL on everything else blocking access. Some web-facing systems do require writeable directories (for client file uploads, usually), and those can be, well, hazardous.
It can be easier to deploy a locked down web server (often in a DMZ) than to try to lock down an existing and active server, too.
Web server attacks now tend to target the injection of php code or of SQL, depending on what services are active and what the site is serving up. Proper file protections are a reasonable backstop for some of that, but are far from a panacea. Other attacks can include gifar uploads (into directories that are writeable) and the recent spate of "fun" that has been Firesheep.
