/bin/su would be more secure if it would use permission 4110 instead of 4111. Only users of some group e.g. sudo would be able to execute /bin/su.
No. /bin/su already takes care of only allowing access to members of the wheel group (or whatever the admin decides to set it up with).