Apache is securable, as opposed to IIS, which cannot be secured. Apache on Windows does present a challenge though, because any accessible file or region of memory is potentially executable.

*NIX systems (Linux, BSBs, UNIX) can provide greater security through chroot jails and permission-based security. However, If you are not an experienced sysadmin with *NIX then the greater security of apache on *NIX may be negated by an inadvertent configuration error. OpenBSD is one of the most secure server systems, in that out of the box you can be reasonably sure that there are no significant vulnerabilities, and the most likely point of failure will be your script, which narrows your focus. In any case, you have lots of good advice above, so good luck. Security is not a solution, but a process involving vigilance.