The ease of the "just put it on the filesystem and it can be run!" system also opens up security vulnerabilities when people want to enable file uploads, for instance. I think the proliferation of places you can put configuration for the runtime is also a potential source of issues, as are various forms of string escaping that should be avoided.
These are older issues. When you see comments like: This bypass was tried apparently on PHP 5.2.5 and I couldn't make it work on PHP 7.3.15) I'm not sure these apply anymore. The loose == vs strict === exists in many languages. You can make the same mistake in Javascript.