mod_rewrite and security
The security risks associated with mod_rewrite are not particularly high - certainly no more risky than having a site which uses only basic password authorization.
If you do not allow anonymous FTP access to your site, I would not worry about mod_rewrite, or any other Apache module. In order to be a risk, your .htaccess, .passwd, and cgi files have to be FTP-writable; Disallowing non-password-protected uploads of these files provides a reasonable level of security. Since HTTP can't do file writes, and FTP is protected, this usually leaves only "inside jobs" - access to your site from within the server itself - as the only open door. Hopefully, your host does a good job of preventing that from their end, and the scripts you use are well-written to prevent unauthorized use of any scripts that might have unlimited file-writing capability.
In addition, using mod_rewrite and mod_access allows you to put in place mechanisms to stop random probing of your site's resources, which adds to the security of the site.
So, why do hosting companies and IT departments prefer to disable mod_rewrite? Because it is powerful, and one little typo can take a site down with 500 server errors. A slight design error can scramble-up your URLs, leading to an unusable site until the rewrite rules are corrected. So, hosting companies and IT departments cut costs by not supporting it. Either they disable it completely, or they say, "You're on your own if you use it."
I'm not quite sure why people find it so daunting - the documentation is on-line, and is relatively short and concise. But hosting companies and IT departments are under a lot of cost-reduction pressure, so I guess developing any kind of support expertise is out of the question for most of them.