In 2019, 11% of all vulnerabilities listed by the National Vulnerability Database were linked to PHP; historically, about 30% of all vulnerabilities listed since 1996 in this database are linked to PHP. [1]
Also early this year there were news that git.php.net was compromised and a backdoor was introduced into PHP, but lucky enough the backdoor was catch before a production release.[2][3]
The git.php.net server was also not compromised, as far as I know, from a PHP vulnerability that was active at the time.