ModSecurity is essential when it comes to secure any web site.
It will make the work of the attacker much harder and it may save you even if your favorite dynamic pages have a security hole.
However, it must be configured wisely to be efficient. It is just a firewall that works at the application layer : you need to know the attacker point of view and the basics before writing any mod-security rules, otherwise at best it will useless (and at worst, it will kick legitimate traffic off).
So, stay tuned : I will talk more about the ModSecurity stuff and publish a review about this book soon.
It is incredible that Microsoft invests so much money in its security and that there are still such a bad security design for programs that in no way should be granted any administrator access (calc.exe or notepad.exe).
Also, I can’t imagine that no one could detect it in their teams during the quality process and security audit.