[wdewind]

I literally have no idea what you mean by this. Are you trying to imply there are people who write bug free code? If so please point me in their direction.

People make mistakes. Systems should be designed for this expectation. If mistakes are extremely costly it implies you should use certain tools and development methodologies, if not you can use others.

[sarciszewski]

Code that is bug-free and code that is free of security-affecting bugs are not the same thing.

For an example of an application that is currently free of application-layer security bugs, see my blog. It's not a CMS, I wrote it myself. Go ahead and try to hack it. :P

[wdewind]

I feel like you're arguing against a strawman that I don't think secure applications can be written in PHP. I don't think that.

Edit: put another way: if you are starting from scratch and your main focus is security, why would you use PHP?

[sarciszewski]

Familiarity. I know its quirks inside out and therefore know which mistakes not to do. If you point me to Python and say "build a secure web app," I'm going to need to spend a lot of time researching.