To be fair, it's probably not a security vulnerability in most cases, because it's rare that serious code does the equivalent of `$func = $_GET['func']; $func($_GET['userinput']);`, but it certainly makes for nice backdooring.

Regardless, PHP in general was never designed for security of any sort.