I'm actually rather shocked that FTP is still being used as the primary means for users to upload material to their accounts with no option in the gui to configure jailed sftp.
FTP transmits usernames and passwords in clear text. This is a huge security risk that is easily avoidable and for a server administrator this could actually be considered a negligent liability depending upon the damages cause by the interception of user account credentials.
openssh-server provides all the function for secure file transfers that anyone could ever need.
jailing the sftp is also important because without it an attacker has access to the entire filesystem, they may not have access to make damaging changes, but it still allows them to gather information about the filesystem and or user account to aid in further attacks.
I really like virtualmin but it has several security flaws that users must manually correct in order to secure their systems. The FTP vs Jailed SFTP is just the biggest one.
Please consider adding this to your list of to-do's. Its really very important.
Note: PHP is also by default configured to allow users to include any file on the filesystem and view its contents via a web browser. To prevent this administrators have to manually fine tune every users php.ini to jail it to their home directories. As well as lock out php features that would allow an attacker to launch scripts and or attacks via PHP.