I would like a mod-security rule that takes a list of IP addresses from a text data file and if the Client IP does not match one of these, then rate limit requests to 200 requests-per-minute.
Don't use ModSecurity for this. It's not great at handling persistent variables between requests - which is needed for any type of rate limiting. The functionality is there, but because of of the disk based SDBM disk based storage it uses to implement this, this doesn't work under any real load. See this discussion on ModeSecurity mailing thread as one of many examples threads on this subject.
To me this will not really be an option in ModSecurity until some non-disk based storage is used, so best to keep an eye on this bug to see when that is implemented.
Instead look at fail2ban or some other firewall protection for this.