For the mailman suexec, does apache treat it specially? I just wonder.
We can treat certain CGI script specially, like you said, only force group nobody for it. However, I did not see forcing a group nobody for all CGI scripts is a bad idea if permissions has been set properly.
For the bytes log problem, can you please check the log file see if there is any extremely large number or duplicated entries in a row, it will help identify the problem.