If the host doesn't run mod_security, they're ignorant about security, or don't care.
Mod_security is useful as it's another layer of protection - it covers you against 0-day exploits until you get time to update your website's code.
A good host can also couple mod_security with the firewall so that multiple hits cause an IP to be blocked.
We're a host and we do run mod_security, and it is coupled with our firewall; I'm sure we're not along although I realize many hosts don't do stuff like this.
By the way, they should also have the server hardened, and if they haven't you should choose another host. Just my opinion