Justin, you missed the mark slightly.
Apache is more secure than IIS, because the http server project team has made a concious decision that security is a primary concern.
They purposely decided to limit default configuration to basic static html and to disallow many features built into a base apache installation for security reasons.
Apache, without adding any more modules, can serve far more than static html, and allow far more activity than it seems, if you remove the rstictions put on it for security in the configuration file.
shtml files are available in the default install, if you enable server side includes.
conditional files, such as language specific versions of a website can be served with a basic install of apache, if you enable that functionality.
Apache is also a local network file server and application server, with only the default install, if you want. Not recomended, adding authentication module(s) before enabling that is recommended.
