I've looked a bit at suexec, trying to make it go saner. I still cringe. The model is intrinsically broken, for a lot of reasons. I don't think it's feasible to fix suexec for real.
You've got to realize that suexec basically *elevates* a process to root, making its decision on its name and various fishy tests. I don't see how this can be made safe.