httpd setup will not be secure until developers setup chrooted httpd process (per client).
open_basedir is not safe enough. It is easily overriden and an attacker can easily have access to entire disk, including all other hosted sites.
Also, open_basedir will not help when an attacker uses...