Mod_security is great. I recommend checking out Atomic Secured Linux, which is a product comprising a hardened Linux kernel with trusted path execution, PaX and grsecurity, ClamAV, mod_security, mod_evasive, OSSEC, rkhunter, SSH hardening and comes with continuously updated custom rulesets for its components. It can do geoblocking, active response based on security events and comes with a web interface for management. No, I don't work for them, I'm just a happy customer.
Now, of course, having good system-level security doesn't mean it's not important to keep security in mind when building a web application, but the additional layers of security definitely help.