It is easier to monitor an app when it resides in its own directory; it is easier to insert simple handles, and it is easier to extract info from log files (and also easier to write such info in separate file with env=xxx conditions). As for security, it easier to check and monitor access permitions. (As per Apache security_tips docs, placing an app inside server configuration directories is the least desirable option.)