I've just added a new feature to mod_security (CVS, both versions) that allows you to achieve a better control of what gets filtered. Up until now mod_security looked at every single request. Since most static resources (e.g. images) are not vulnerable it is safe to assume that we don't need to look at those types of requests. And, the number of image requests versus (dynamic) page requests is much bigger the savings in CPU cycles are probably quite big.