I disagree with the idea that chroot is difficult - it just isn't appropriate for everything. For a small environment, with a server hosting more than one web environment, chroot is exceedingly powerful and provides controls around separation, and escalation prevention. Managing it is not a huge resource problem.
If you have an enterprise scale environment you may be less likely to use chroot (as it does become unwieldy in a large environment), but you are likely to have alternative controls which may include in depth monitoring, IDS/IPS , layered firewalls and SIEM.
I would class mod_security as an essential (for the webservers that have it or equivalent functionality) - it is an extra layer of defence which is simple to implement, and for most use cases it doesn't cause significant impact.
chroot and mod_security - as well as firewalls etc are all just layers of security which may help to prevent an attack or at least slow it, thus raising the likelihood you will spot it before it causes too much damage (assuming you are also monitoring...another control)