You have obviously never used the Metasploit Meterpreter. It can pivot off any running process and run commands with that privilege level. It can also traverse your network creating tunnels as it goes along. This is why you want to prevent privilege escalation and the tunnel creation. If they can't escalate or create a tunnel then they are stuck on the first box that is exploited. It's damage control. It also buys you time to respond. If you can detect the activity you want to be able to stop it before the threat spreads.
In an eCommerce environment this is the difference between losing your user database and losing customer information. There have been many breaches in recent history where user data was leaked but no customer information was compromised. The bank is able to reset all passwords before damage is done. I imagine there was some form of internal security that kept the intruder away from sensitive data on another server deeper in the network.
A layered security approach has benefits. Is it overkill? That depends on a changing threat landscape. Tomorrow we may all be vulnerable again.
Check the exploit DB for APACHE exploits and come back a paranoid security advocate: