First thing I do is move /tmp and /var/tmp to a partition that's mounted noexec. Too many sloppy PHP apps. Worms drop things in /tmp and run them from there.
Do you know, that you can run anything from there without haveing /tmp exec? Crackerst today can execute anythin even if mounted noexec
I would agree, however this is another layer of security that will stop most basic worms that attempt to execute themselfs from the /tmp directory.
There is a short and good looking article by Steve Kemp on the subject here: http://www.debian-administration.org/articles/57It provides detail on how some issues can be worked around, for example apt-get runs scripts from /tmp
Chrooting apache w/ it's own special /tmp might be a better approach.