Because (a) mod_wsgi is nowhere near as easy to sandbox as PHP (again, php.ini settings), (b) configuring proper production servers to run as specific users is a pain, and (c) this is a university where people have access to sensitive student information and research data in the AFS system. How bad do you think it would be if a random student could exploit their professor's site and change their exam grade?