PHP is a very popular language, because it appears to be simple to learn. There is a lot of tutorials out there, but (as already said) most of them are outdated or lack security considerations.
I think, the major problem is not the core. The main problem are the old versions on small servers running, because the admins are big hosting companies and they do not want to explain to the user why a specific script can not run.
A lot of PHP programmers do a lot of coding in their free time and security has always been a pain in the a**. You can break things really fast, if you don’t know what you do in the update process.
PHP (like other server technology) is open to attacks from all over the world, this fact must be emphasized on the main PHP help pages.
To fix this, we have to:
- provide best practices for novices (escape input / output, check input boundaries etc.)
- provide anti-patterns
- encourage big frameworks to move to newer PHP versions and drop old version support