[sarciszewski]

Code that is bug-free and code that is free of security-affecting bugs are not the same thing.

For an example of an application that is currently free of application-layer security bugs, see my blog. It's not a CMS, I wrote it myself. Go ahead and try to hack it. :P

[wdewind]

I feel like you're arguing against a strawman that I don't think secure applications can be written in PHP. I don't think that.

Edit: put another way: if you are starting from scratch and your main focus is security, why would you use PHP?

[sarciszewski]

Familiarity. I know its quirks inside out and therefore know which mistakes not to do. If you point me to Python and say "build a secure web app," I'm going to need to spend a lot of time researching.