I will never recommend PHP to a customer or even a friend; however I heard about an Apache module (by SuSE apparently) which is designed as a security layer for mod_perl and mod_php. I haven't even tried it yet, but I will the next time I need to support others' bad decisions.
If you know what you are doing and develop PhP application with security in mind from the first moment, 95% of all potential PhP exploits can be avoided.
Absolutely strict, brutal and dictatoric input validation as a first action of the application is a must in any PhP project. Only variables explicitly allowed to pass should be passed and checked at least for their data types and sizes. Plus additional checks if needed. The CPU cost of such checks are fairly low.
On a sidenote: mail() is not very optimal solution for mailings anyway, full SMTP stack implementations such as PHPMailer are better, although not exploit free solution.