[lojack]

Secure PHP is certainly possible, and not even that difficult. The problem is that insecure PHP is even easier to write.

In my experience, most vulnerabilities tend to come from insecure, poorly written, unvetted third party plugins and libraries.

Someone writes a plugin that creates a widget, security is either a non-thought or an afterthought. They think someone else might like the widget so they publish it. Thousands of people find it useful, even years after originally released. They are all unknowingly using an insecure piece of software.