How many of you are running Suhosin? That's http://www.hardened-php.net/suhosin/ if the answer is no.
Do you have an alternative mod that you prefer? Or do you run security checks on *everything* before letting it go live?
What about mod-spamhaus? mod_security? mod_evasive? These were at one point the trifecta for getting our clients' sites locked down quickly.
We don't install these 3 when we put sites behind Varnish, but we use Suhosin whenever we install WP and particularly WPMU.