While some CVEs require specific modules to be enabled (like mod_userdir ), others rely on the standard parsing of HTTP headers. Furthermore, 2.4.18 lacks protections against modern attack vectors simply because those attack vectors had not been invented or widely understood in 2015.
However, being released in late 2015 means it predates several major discoveries in web security, including the HTTP Desync attacks and various path traversal vulnerabilities. While 2.4.18 fixed issues present in the 2.4.17 branch, it simultaneously opened the door for new vulnerabilities that were discovered in subsequent months and years.