[about_help]

As with the majority of security issues it was done for convenience. Not every user has access to the hosting provider so it was done out of convenience.

Thankfully they removed this option in Drupal 8, the latest version. You could also restrict users from accessing the functionality so it wasn't that terrible. In practice few sites actually use the option, but when they do it can make troubleshooting a giant pain in the ass.

[nicksantamaria]

The fact that php.module ever existed in the codebase is a downright travesty. As soon as any privileged user was compromised (i.e. someone with "administer users" or "administer site configuration" permissions) the attacker had arbitrary remote code execution.

My projects had a patch to remove that entire module from core on each build.