My advice: If you want security then stay away from Webmin.
Or atleast, that's my advice from looking at it a couple of years ago... it's implementation that is... I gave up trying to explain the security risk to the author... exploits that could be easily verfied (and fixed) were only met with a response: 'fixed in xyz' (testing xyz revealed it was not fix - so much for testing)
Also: webmin runs everything as root. Only thing it takes is one little exploit in one of the module and you have root access. (And unless the code really changed in the past years then I'm sure there are many exploits in it)