Using the module has a slight performance gain, since it's compiled into the Apache binary, meaning the PHP interpreter runs in the Apache process. So, when Apache spawns a child, each process will already contain a binary image of PHP. On the other hand, CGI is a bit more secure, in that the server manages control and access to the binaries. Although, most security holes are due to the scripts themselves. There are a lot of poorly programmed PHP scripts out there.
And, while CGI is slower there are solutions to that, such as FastCGI. If you are using a threaded MPM, then you'll want to avoid mod_php, since there are some extensions that are not thread safe, which will likely lead to race conditions.
Personally, I prefer FastCGI to mod_php. If a FastCGI process dies, a new one is spawned. I've seen instances where mod_php has killed off Apache entirely.