Is a recompile all that onerous? DirectAdmin for example needs rebuilds for the slightest change! I assume that you install ccache by default, as that helps considerably.
Any version of mod_sec and free OWASP rules is better than none at all. 
Including mod_sec/OWASP/CSF would make HestiaCP a much more viable replacement for CWP.