@Joe very nicely said. 
+1 for using mod_security by default (with safest defaults in order not to break websites),
and a suggestion for antispam system:
go for rspamd instead. might be a lot of work to replace existing amavis+SA setup, but…
rspamd integration would save you time messing around with lots of daemons/services : spamassassin, opendkim, opendmarc, amavis, postgrey, ratelimit… these are all integrated in rspamd as modules…
its also very fast in spam training, comparing to SA.
and a security point: rspamd doesn’t require a compiler installed on a production server (just like spamassassin does…).
- would also suggest postscreen+postwhite installed/activated by default, or configurable in some “email settings” option.
2c.