Regarding it being security risk, if implemented correctly, it's no more of a risk than allowing mod_php to run on customer sites.
And thats why mod_php is normally not used on a ispconfig server. ISPConfig provides mod_php support only for legcy reasons and it should not be used on servers that host clients or are connected to the internet. For hosting servers, use php-fcgi in conjunction with suexec as described in the manual. In ISPConfig, each site runs under a different Linux system user, so you wont be able to have write access to the files from a script running under mod_php anyway. Also you should be aware that ispconfig is a multiserver controlpanel were the web and controlpanel server is not nescessarily the same system, so you cant access any files from a script that are on the web server if the controlpanel server is a different system. The only option ro provide a file explorer like functionality is the user of a webFTP client were the customer can login with its FTP username and password.