We have been running modsecurity 2.x for years.
The build is easy with apache 2.2 x64 and 2.4 x64.
Pros:
I believe it SHALL already prevent a number of automated attack(s) silently.
Cons:
The core (and difficult) part is the ruleset.
Default rule set shall cause some false-positive, even for Squirrelmail.
We have disabled a few rules for squirrelmail, and a few for general purpose.
Also, we need to use DA panel custom httpd configuration to disable particular rule(s) for particular user, which means some admin and communication work