actually, this is _exactly_ where AppArmor is the most useful. if the PHP
script is restricted by AppArmor it won't be able to go out and touch
things that it's not supposed to.
if you are targeting one specific company or one specific server then you
are correct, however most attacks are not that targeted, they do things
like useing google to find random servers that are running vunerable
software and attack that (or just try the attack against random IP
addresses in case it happens to be running the vunerable software)