Hi Tobias, thanks for your report and other notes.
The mentioned configuration file (modsecurity.conf(.recommended)) is part of ModSecurity2. But the package itself (modsecurity-apache) depends on modsecurity-crs, and this package uses the same directory (/etc/modsecurity), so there is a strong connection between these packages. As I explained in bug #1029836[1], we have to review the package modsecurity-crs, but I think based on your report (this issue) we *MUST* review the whole structure in the future. Thank you again. a. 1: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029836