Only day 2 of the new year and the mis-statement of the year may have been made. PHP is infamous for being insecure. The core has improved, I’ll grant that, but the community surrounding it still doesn’t take the issue seriously. That’s not unique to PHP, but it seems worse among PHP progammers. The language itself does little to nothing to help users avoid these problems - loose datatyping is a hacker’s dream for causing all sorts of havoc. It wouldn’t be so bad if you could turn it off.
I can’t be too critical of PHP - it does pay my bills - but don’t call it something it never has been - secure. It’s not - you have to watch it and the programs ran using it like a hawk.