Perhaps you should alter some default settings when apache is installed.
- Deactivate status module : I don't think most people are aware of the /server-status page and if they are, they can just activate the module...
- ServerTokens Prod instead of ServerTokens OS, You already reduced it from Full to OS, but for a production environment I don't think you need that info
- ServerSignature Off, No need to have these on a error page
- Remove the /phpinfo.php file (You have already webmin ....)
- Directories /css /js /images are open for directory listings. Perhaps add a .htaccess file there with Options -Indexes
These are only minor things, the appliances are well protected, but everyting helps I think...