[eluser]bretticus[/eluser]
CI convention dictates using
if ( ! defined('BASEPATH')) exit('No direct script access allowed');
which provides security as long as your webserver can parse php. If, by chance, your php module were to be turned off somehow, all your source code would be readable by the whole wide world (I've seen this happen loads of times in the past several years.)
I agree that putting your system and application folders outside of virtual root is very sound security practice. It's also very easy to change your paths under index.php to boot.
In fact, why not go even further and stick your ci core code (system folder sans application) somewhere and add it to your php include path via php.ini? Then put your individual application folders just outside their respective virtual roots (as you already do apparently.)