I am not sure if I posted this in the right forum..

I am on Apache 1.3.41 and using CentOs.
I noticed recently there was a security vulnerability and a new version out.

I spoke to my data center (the planet) about upgrading and got this response:

You could potentially break other packages. However, just know that it might come down to an OS reload if all else fails. We can send the datacenter to try and revert the RPM to the old version of OpenSSL, but if this fails, an OS reload would be the only way to recover. It's really up to you to make the decision.

..this doesn't sound very appealing.
When I got a PCI scan a few months ago, one of the "problems" that caused me not to be PCI compliant was with OpenSSL being "outdated" (In fact, 99.99% of the errors had to do with this)

Do PCI-compliant sites really have to risk an OS reload with every upgrade?