Yes, and that's why I said change the mode of the PHP files, not the .html files/ The .html files need to be readable by user nobody, but on a suphp or similar server, where PHP runs under the user's userid, it's fine for the .php files to be mode 600.You cannot make all of your files to be 600 as that can break many web applications on the server.
Also you can't control that users will not change the permissions of the files by themselves.
And yes, the users will change the mode of the files, which is why you should put the modes back periodically. They're not going to check very often, if at all, so long as the site continues to run and they can access their files, which they can.
Security is made up of layers - the symlink protection, and then not being able to read the files - one being broken and you're still safe.
Ultimately this is a hole in Apache for which cPanel should take greater responsibility - it's very serious, and needs to be treated as such and not just palmed off to Apache who don't necessarily completely understand all the uses that their software is put to.