You could also disable the cgi completely from apache at compiling level
"--disable-cgid" \
"--disable-cgi"
But you should then look at cron jobs, they are the same as ssh access.
See this post from DA,
http://www.directadmin.com/forum/showthread.php?t=31420&p=159122#post159122 and read the last line.
Basically thats what CloudLinux did. Don't pin me down on it, this is how I think it works; you have one copy of many system files - and that copy is being used for all users. Its about 1GB. Then each user has a set of folders, mainly /etc/ stuff, like their own passwd file. Only a few MB per user. And in some way it gets mounted and a user has its own virtual environment in ssh, php, cgi, cron etc.
If you don't want to use it, I do think you could manage something by chmodding a lot of stuff. But I don't you get it bullet proof like that.