Very few Apache web servers are running the current, fully-patched version of the software, according to research by Netcraft. Some very popular sites are running very old, vulnerable and unsupported versions.
Netcraft is known most for their continuous surveys of publicly-accessible web servers on the Internet. Apache's share of such servers has been taking a nosedive over the last two years, according to the latest report on that survey, although it still dominates among active sites and the busiest sites, where Apache runs more than 50% of those surveyed.
The latest version of the Apache Stable Release is 2.4.7, released November 25, 2013. Very few sites are running this version. In fact, less than 1 percent of sites are reporting that they run any version in the 2.4 branch, despite Apache urging users to do so. In fact, Apache servers are overwhelmingly running the "Legacy Release," i.e. the 2.2 branch, the latest version of which is 2.2.26, released November 18, 2013.
As Netcraft notes, over half of Apache web sites hide the version number, although further tests may indicate the version. By the same token, some servers with a vulnerable version number may not be vulnerable to some of that version's flaws; for example, Red Hat Linux provides a backporting feature by which fixes for later versions may be applied to an earlier version.