You can beef up Apache security a little by installing mod_security, disable all modules that are not used. Set ServerTokens to Prod, restrict access rights to site content and lastly chroot apache.
Last part im not sure if it works with ISPconfig?
Regarding PHP, you should run it as website owner. Set display_errors to Off, set expose_php to off, set log_errors to On. Register global should be Off. Than we have Safe Mode, but there is ISPc interaction with the services that has to be taken in consideration when you hardening services.