A web search on 'linux web server exploits that gain root' will give many examples.
No, not. And you better get your info for this type of stuff from cve websites or apache vulnerability list.
Security design by first principle assumes that an attacker will gain root access.
I would not know. Logical deduction of the topic question 'when roundcube gets hacked' does not include all this.
The OP is correct with his question. The risk of having an undetected exploit in roundcube code is probably >10000x than something with the webserver software.
Best practise is to limit the damage that can cause. The usual way to limit it is put all public facing systems in a DMZ and have a very carefully controlled access from them to an internal priavte network. The access control is performed by systems that cannot be controlled by a breached public facing server. e.g. router firewalls,.
How does stating something so obvious but irrelevant contribute?