Apache has a number of features for improving the security of web services and preventing unwanted access to files.
First, always configure Apache to run as a non-privileged user or group, and then make sure none of the content files or configuration files of Apache can be written to by this user or group. (You'll usually want content files to be readable, even world-readable, of course). This prevents exploitation of bugs in Apache to overwrite content (leading to web site defacement) or modify its configuration (possibly to further weaken security).
Allowing use of CGI programs is a security risk, since bugs in CGI programs can bypass other Apache security restrictions. In a highly-secure configuration, only install necessary CGI programs in an administrator-managed cgi-bin directory, or avoid use of CGI at all. If you do need to allow users to create and run their own CGI programs, consider the use of the "suexec" feature to allow users to run CGI under their UIDs instead of the server UID (with its own tradeoffs).
There are configuration directives to limit Apache's access to filesystem directories (<Directory>) and URL locations (<Location>), under which you can specify which server options are permitted, which .htaccess configuration directives are permitted, and permit or exclude accesses. You should use these to ensure that the server will only access content in specified system or user directories, and limit access to unwanted server features or configuration options. These can also improve performance by telling the server not to check for .htaccess files or symlink ownership outside content directories.
SSL protects HTTP traffic from eavesdropping on the network, but many web server administrators forget that form content or other user input is received and decrypted before being locally processed and stored. SSL web servers need to be very carefully secured to prevent any alternative methods of access to data they handle.