“I installed some third-party PHP software and didn’t turn on auto-updates for that software, and then my server got hacked” is a hit on your server admin skills, not PHP.
The attack vector was directly through php. Everything was upgraded to the latest. It was the theme that was hacked. How that is related to admin skills makes no sense.
If it was the theme that was hacked then it wasn't PHP it was the design of wordpress and the theme specifically. Almost all hacks of wordpress are not due to workpress itself but due to the themes and extentions.
If it was written in another language you'd have the same problems with the same architecture.
Wordpress gets exploited because it's popular, not because it's written in PHP