Hi cable mite,
The Apache software built into the SEPM is a custom build, usually hardened down to do just what is needed and not open to anything else. If Symantec's internal reasearchers determine there is a danger, a new version of the SEPM will be released to keep the organization safe. There's no need to try to manually upgrade or patch the Apache software built into the SEPM.
Security Advisories Relating to Symantec Products
https://www.symantec.com/security_response/securityupdates/list.jsp?fid=security_advisory
For other Apache software, best practice calls for patching as soon as vendors make patches available! One is available for CVE-2017-9805 now.