PHP as a language had inherently insecure designs such as register_globals and RCE in unserialize().
When working on reviews, it's often as easy as grepping for "unserialize" and working your way from there for an easy bounty.
However, PHP has matured a lot. There is not a hint of register_globals as of now, and we have proper serializers, in addition to RCE-free improvements to original unserialize().
With native support for proper password hashing, sodium, and other improvements lately, one could argue that PHP is one of the most secure languages out there.
When working on reviews, it's often as easy as grepping for "unserialize" and working your way from there for an easy bounty.
However, PHP has matured a lot. There is not a hint of register_globals as of now, and we have proper serializers, in addition to RCE-free improvements to original unserialize().
With native support for proper password hashing, sodium, and other improvements lately, one could argue that PHP is one of the most secure languages out there.