No, we've never supported replacing the packaged Apache server with a customer-supplied one.
We do regularly review Apache security issues to verify whether the bundled configuration is vulnerable. We only ship a limited number of Apache modules so many vulnerabilities do not apply. When they do, we try to update the bundled server to fix them.
the customer would like to use the Apache that's pre-bundled with their RedHat 5 Distribution - which is 2.2.3 with all latest security patches.
Reason behind this request is to have the server/OS team to be responsible of patching the Apache web server rather than the storage team, which would be the case if they use the DFM-bundled Apache. And we all know there is no effective way of patching the one that's coming with DFM.
Do you guys maintain a list of vulnerabilities that are not applicable (false positives) somewhere? Nessus lights it up with Apache and OpenSSL vulnerabilities non-stop. You say that the Apache you ship is not vulnerable, do you specify what it's not vulnerable to?