Maybe you have some files that an attacker should not be able to modify. Perhaps you know that executable CGI files should only be in one place. Sometimes you can make the filesystem itself do your work for you.
Modern Unix systems provide the ability to mount filesystems in special ways - two options in particular are worth noting. The "ro" flag will mount a partition read-only. No process can modify or create files on that partition, even if they would otherwise have permission to - even if they are root. The "noexec" flag tells the kernel not to run any programs off of that partition, even if they are otherwise valid programs. There's also "nosuid" (don't allow set-user-id operations) and "nodev" (don't allow device files) which may be useful in different circumstances.
man mount to see more mount options.