Not the person you asked but I am not aware of any that disable ASLR by default, though most default to 1 which only enables ASLR for applications compiled to enable it vs 2 forcing it on or 3 on some distributions that use a hardened kernel. Rather than trusting any assumptions I prefer to run checksec [1] on every OS I touch. It's an old script but works just as well today as it did long ago. One may find that some applications are missing some basic hardening compile time options. The script is not an exhaustive test of all modern hardening options. Example of ASLR being forced on:

    # sysctl kernel.randomize_va_space
    kernel.randomize_va_space = 2

Typical invocation:

    checksec.sh --proc-all

This invocation will list the status of RELRO, Stack Canary, NX/PaX, PIE of all running daemons. My CachyOS installation for example is missing Stack Canaries for all daemons.

    checksec.sh --fortify-proc 732
    * Process name (PID)                         : sshd (732)
    * FORTIFY_SOURCE support available (libc)    : Yes
    * Binary compiled with FORTIFY_SOURCE support: N

Some additional compile time hardening options [2] and discussion [3]. Even Rust apparently has some compile time security related options.

[1] - https://www.trapkit.de/tools/checksec/ # some Linux repositories already contain "checksec".

[2] - https://best.openssf.org/Compiler-Hardening-Guides/Compiler-...

[3] - https://news.ycombinator.com/item?id=43533516

"old days of PHP and Apache" ...

Apache still runs about 23-28% of websites (with some measurements suggesting it is pretty close to equal with nginx). PHP is still in use by 70-80% of websites (numbers vary depending on where you look).

You make it sound like both pieces of tech are irrelevant. Nothing could be further from the truth.

some quick googled examples (like I said other sites' numbers vary, but you get the general idea):

https://www.wappalyzer.com/technologies/web-servers/ https://kinsta.com/php-market-share/