Hi Richard,
mod_security has been designed to block execution of insecure code and there's nothing that can be done to force mod_security to block insecure code of one application and allow similar code of other. We have tweaked mod_security to allow applications which can never result in hacking of websites through browser based injection, but mod_security won't stop mysql or ftp based injections. We have different set of rules in my.cnf and csf.conf to prevent mysql or ftp hacking. What happened before couple months with all those FTP password hacking attempts was due to weak passwords set on some shared hosting accounts. We had to disable main cpanel account FTP access on most of our cpanel shared hosting servers due to this problem.
We now have better protection against such FTP hijacks and our servers are safe enough against the browser based or mysql injections due to the high level of security we have on our servers.
It hardly takes some time to remove bad code from your website, but it takes long time to recover lost data once your website gets hacked and the backup you get turns out to be 1 week old.
