That's so weird... I've just spent the last half hour researching this EXACT topic and then happened to stumble across this post! Lucky you! Here are the fruits of my labour:
The biggest and baddest of them seems to be Horde-Imp. It seems that many universities use it for their webmail interface (my own uni included). It does seem fairly complex though.
A solution that seems slightly simpler, although not as feature-rich, seems to be squirrelmail. I've got no experience with this, although many ISP's offer it as their webmail solution.
There is another one called neomail, but I haven't found out much about it yet.
I haven't installed any of them, this is just from what I've learned surfing various websites. I don't know how easy it is to add new users or how this would need to tie in with your ISP. From what I can tell, all the above scripts are free.
But surely their popularity and the fact that they're open-source means that most of the security flaws would have already been fixed? Or be in the process of being fixed. Although I suppose that it could be like whatever that php bulletin board is that's forever being hacked on a daily basis!
Also, it surprises me that so many educational institutions are using it; maybe their techies have just secured it enough to be able to use it without getting 'owned' :-)
Does anyone have any other (more secure) suggestions?
I'd actually started looking into Horde just after I posted this message. I noticed that my hosting provider offers both it and squirrel as options for viewing my own email. The security issue is a bit of a worry though.