" Webhosts should be able to host any PHP script "
If your server is correctly setup in the security realm, You should be able to upload some PHP shell yourself and try to run it... if it works, well your insecure...
Its the same with vulnerable CMS's, if you can install a common CMS, then google for a exploit for it and the exploit works.. Your server is insecure.
Even if you have vulnerable/insecure PHP scripts, you should still be able to run them partially on your linux server without being exploited...
In some cases, its not about completely stopping an attack but letting it happen to a certain extent to learn from it, then block the attack with crafted security rules.
mod_security is one of the best things ever coded for apache servers, with my custom rules i can block some of the latest even unheard of attacks Thats why its good to be a " grey hat " security enthusiast, as you get the pros of both sides