What kind of security do you want? There's all kinds. You can always use .htaccess AND DB-based login. Couldn't hurt.

Anything is only going to be as secure as the program driving it, so if there are more Apache vulnerabilities than PHP/mysql (or whatever) vulnerabilities, then maybe you shouldn't use Apache. And vice versa. Things like buffer overflow attacks against Apache vs. SQL injection to compromise your DB, I mean. Though it would be hard (mostly impossible) to actually count them, and severity matters as much as quantity.

Apache has the benefit of being widely tested. If you're using DB-based authentication, you likely rolled your own form input and password parser, right? And the password is input via POST or GET? If so you're more likely carrying unfound logic bugs, or subtle things that can b0rk PHP/Perl/your script of choice. What if someone throws 4MB worth of GET data at your script? Will it choke? What about if they enter tons of NULL characters, quotes, backslashes and newlines as their username? What if they send a thousand password requests simultaneously? PHP often offers up all kinds of nice info about your database any time you can get it to crash, for example. Things like that. On the flip side, if you're using something non-standard and home-brewed, then you have obscurity going for you, so any widespread IIS-targetting scripts that may exist won't hurt you. For what it's worth.

Then there's the security of the password itself. If you use "admin/password" as your username/password, it doesn't really matter what the mechanism of login is; people will just guess it. If your users are stupid, then you're screwed no matter how nice your code is. Do you have a good password policy (assuming you have multiple users)? Are you enforcing password length so someone can't dictionary-attack you? (Though enforcing password length also has its bad side.)

Are you authenticating over an encrypted connection? If not, then it doesn't matter how good your passwords OR backend are; someone can do some traffic sniffing and there you go. If so, there's different quality of encryption schemes to take into account.

How's the security of the machine you're logging in from? Can someone install a key-logger on it? Or on any of your users' machines? What if your users are all using an unpatched version of Windows ME and install all kinds of trojans and spyware and adware?

Security is hard. It's just a matter of what you're willing to settle for. Although personally I'd be more worried about things like people writing their passwords on Post-It notes and putting it next to their computer or any number of other issues than I would about DB vs. .htaccess authentication.