We recently discovered a bug in PHP, a simple bit of code and the server would forget any virtualhost based php config and just use the server wide config.
So safemode would return to the php.ini setting even if it's On per virtual host - it would also forget the open basedirectory setting. It was originally thought it could be apache, as it's only reproducable on Apache 2, but it is php (so I'm told). Apache were going to announce it once they had a fix and then it was discovered it's PHP, but the PHP team's reply to my email said fixed in CVS will be in the next release! They don't plan to make a thing about it...

Anyway - just a recommendation to all hosts using safemode, set it On in the php.ini and turn it off per virtual host if required!!