I don’t think it is that simple to justify that “PHP is the most secure of them”. All of the three (PHP, Ruby Python) are “mainstream” languages with huge user bases. While PHP has the largest user base, it doesn’t mean that Python or Ruby lacks security audits or research, or that research towards PHP is superior compared to Python or Ruby research.
And it is not only about plain user base size. Some other important factors are bounties offered/paid, importance of the victim, and quality of the audits.
I’m not saying one could justify which language is the “most secure” just by looking assigned CVE IDs, but I think, in this case, it gives some view.
Also, it is important to acknowledge that while software gets more secure immediately a vulnerability has been patched, but the other side is that the exact same software has been insecure as long as the point when the vulnerability was introduced in the code to the point it was fixed and deployed to the “end user” (which could be quite a long times).