The php ini directive of 'open_basedir' may be fine when related to php filesystem functions, but the danger is not confined to just that.
The usage of system based functions is a great risk too. Imagine if a mock shared server is running apache as nobody and someone used system() to 'cat' a configuration file for a forum or such. The dangers are immense.. instead of having an account with 'writable' files in, this malicious user now has access to a database full of account hashes and email addresses.
The best path of action, is to have php running as the user id(As someone mentioned above). One possible method to achieve this is by running php as a CGI and through suEXEC.