Well, suppose you need to distribute your app to a server on which you do not have administrative privileges. This server allows you to have a .htacces file, but you can't do everything you want, so your site breaks, potentially exposing those files to the public. Or, suppose someone introduces an error into the main apache config file, accidentally disabling .htaccess. Or suppose you migrate you app to your brand new dedicated box, and simply forget to copy that file over (it's hidden from normal view, you know). Then, when you realize what you've done, having found of your private files all over the net, you upload the file, only to realize several weeks later that you accidentally disabled .htacces in your main config file.
... I think there's a decent list of possible mixups that justify not relying on .htaccess for security. In general, keeping your private data above the document root safeguards you against a great deal of possible human error events, and possibly even a good deal of possible software errors, either of which may go unnoticed until they're critically painful.