That’s not actually the case.
During 2014, PHP got 32 CVE IDs assigned, Ruby got 3 and Python 6.
While most of the PHP’s bad reputation comes (as mentioned here) from bad programming habits, bad code examples, bad books and so on, it is a fact that the PHP language itself has had more vulnerabilities than, say Ruby lang and Python. So based on that, I can understand why some might want to call PHP “insecure language” (it is not as “with no foundation” saying as many PHP devs may at first glance think).