specify a floating point range using regular expression

Question 1

this sounds like a buisness logic rule - something that should be done in the server logic, not by mod_security, but anyways:

Floating point numbers in the range [0..999.9] are numbers that

start with an optional sequence of zeroes (you may or may not allow that)
followed by at most three digits, first of which is not zero
optionally followed by a dot and nothing but digits (you may require there be at least one digit the last digit to be nonzero)
except numbers that start with 999.9 and said optional zeroes
except 999.9 itself is allowed (if the range is inclusive from the right)

the least restrictive variant, compiled into a regex:

^0*(?:(?!999\.9\d*$)\d{0,3}(?:\.\d*)?|999\.0*)$

^ - start of string (not sure if it's added by mod-security)
0* - 0-n zeroes
(?:...) - non-capturing group
- (?!...) - if not followed by...
  - 999.\9 - the literal 999.9,
  - \d* - 0-n digits and
  - $ - the end of string
- \d - digit
- {0,3} - zero to three times
- (?:...) - non-capturing group
  - \. - literal .
  - \d* - 0-n digits
- ? - optional
- | - or
- 999\.9 - 999.9 itself
- 0* - optional zeroes
$ - the end of string

Question 2

(^0\.0?[1-9]\d*|^[1-9]{1,3}\.\d+)

The first match alternative matches wanted numbers smaller one, the second if one or larger but smaller than one thousand. Does not match numbers not containing a dot, and does match numbers like 999.999, but only if smaller than one thousand (that's what you need I guess).