I agree to the point you're mentioning industry standard. PHP is not considered in the enterprise environment, simply for all it's flaws and it's security vulnerabilities and still has the same problems as before. Most languages don't have those problems.
PHP as a language had inherently insecure designs such as register_globals and RCE in unserialize().
When working on reviews, it's often as easy as grepping for "unserialize" and working your way from there for an easy bounty.
However, PHP has matured a lot. There is not a hint of register_globals as of now, and we have proper serializers, in addition to RCE-free improvements to original unserialize().
With native support for proper password hashing, sodium, and other improvements lately, one could argue that PHP is one of the most secure languages out there.
