Thanks for explaining mod_security!
As a wannabe Perl guy, I appreciate the power and flexibility of regular expressions. mod_security seems to be an elegant and relatively simple solution to a complicated problem.
I don't think the point is to avoid having to build security into applications from the ground up. After all, the same regexes you'd use in mod_security would work just as well in the application's input validation and probably ought to be there as well. Nothing wrong with double-checking input where potential security issues are concerned.
But I think mod_security is more than just a stopgap measure.
First of all, it is a security wrapper that can be used to protect web apps that you didn't write yourself and haven't had time to pick apart for flaws. Imagine your boss handing you an app written by a vendor and telling you to get it up and running ASAP. That never happens, right? Enter mod_security.
Second, why wouldn't you want to stop attacks as early in the session as possible? It means you can free up resources to handle the next legitimate request that much faster.
The only real drawback is what we all know: that complex regular expressions can be very tricky to implement. But that's another reason I like mod_security's post payload functionality. You can filter input progressively through a ruleset of many regular expressions rather than having to craft the "one true regex" that catches everything.
I'll definitely keep mod_security in mind.