Apache has a generally good security record, the main problems with running it relate to CGI scripts. A badly written CGI script can lead to a possible remote exploit.
If you allow local users to write their own CGI scripts then think about how these are run. By default they are run as the user (normally `httpd') that Apache run's as. Apache ships with a little suid program called 'suexec' that runs CGI scripts as the user that owns them, which may well be worth considering. Remember that if people are running CGI's as 'httpd' then they will be able to arrange for their scripts to read any file that could be read by the webserver .. including anything to which access would normally be blocked by a .htaccess file or similar.
Enabling suexec depends on the distribution you are using, but normally just consists of finding the program and making it suid. Apache checks for it and whether it's suid when it starts and enables or disables it accordingly. Before you enable it I'd recommend you read the pages on suEXEC in the Apache manaual (http://httpd.apache.org/docs/suexec.html) so that you understand exactly what it's doing. On Redhat 6.x you can enable it with
chmod 4711 /usr/sbin/suexec