The only logical explanation I can think of based on my personal experience is that shared hosting services offer Apache web server by default so they can host WordPress websites which by the way, based on w3techs.com, 43.1% of all websites are WordPress.

You may ask why Apache then? Well, because when a user modify some settings via dashboard, they change in .htaccess which does not expect a web server restart or super user permissions like you need with NGINX, for example.

Now you know why WordPress websites are getting hacked easier than other CMS-es...because they can apply changes in .htaccess on the fly, whereas with other web servers, you need root permissions, thus the extra layer of security.