In 15 years of hosting hundreds of PHP site, I've never seen a single coredump. Is it just me ?
Technically you're right. However how you're setting these things depends on your needs. Let's assume you have a server where several people develop software on. You may want to allow them to create core dumps for debugging purposes. Whether you set a hard or soft limit thus depends on your use case.
I'd say usually setting a soft limit is good enough. Yes, this means users can lift the limit, however if they play with the ulimit coredump setting I assume they know what a coredump is, thus it should be okay.
Then set the hard core size limit for the user you're deploying as (you don't deploy as your development user, right?) and then set the soft limit for everyone else.
Appears to be the case for BSD as well:
An early proposal also required symbolic signal_names to be recognized with or without the SIG prefix. Historical versions of kill have not written the SIG prefix for the -l option and have not recognized the SIG prefix on signal_names. Since neither applications portability nor ease-of-use would be improved by requiring this extension, it is no longer required.
Not all WWW sites in the world are complex constructions of server-side scripting languages, plug-ins, cookies, user account authentication, and "business logic". Some serve up static content with code that has been around for decades and in the public domain for at least one decade. A core dump does not expose secret information on such sites, because there is no secret information to expose.
It's just untidy. (-:
Of course, it is a lot harder to cause these HTTP servers to dump core in the first place. The article's note about PHP being a source of core dumps again has the implicit assumption that PHP is involved in all WWW servers in the first place. It is not. Moreover, good practice for at least one such of these HTTP servers is to run them under the aegis of an unprivileged and dedicated to the purpose user account that has no owner nor write access to any filesystem object anywhere under its changed root. Thus they cannot create a core dump file irrespective of core dump size resource limits.
The linked article also explains how to change where core dumps are saved. Maybe your system is configured to save them in a specific folder (I have no clue what macOS' default settings for core dumps are!).
I wonder how that relates to this article?