Despite you saying "backward compatibility", the only one of those things that has anything whatsoever to do with php is register globals. All the other ones are programmer choice, and have nothing to do with "backward compatibility". But it does sound like quite a horror story.
When using Ruby, you're using Ruby on Rails 95% of the time ... which means database access is most often than not properly escaped (it's the API's default, and according to the path of least resistance, people rarely do string concatenation for sql queries).
When using Python's Django (mostly a default nowadays) all string output in templates is escaped by default (you've got to make it explicit if you don't want it). Also in Django all forms submitted are protected against csrf attacks by default.
In no case above are you allowed to do "; drop table users", since most ORM's that were made by people with brains can detect that you want to do a DDL when a SELECT is expected. You've got to use the raw Python DB API for that, and that's not easier than just going along with what the framework gives you.
E.g. Django 1.2 added raw queries, but this will trigger an error since it is not a plain SELECT:
Users.objects.raw("DELETE FROM users")
Without a framework like Django, you can't really do web development in Python without blowing your brains out.
Every other popular web platform isn't like PHP which is a language specifically made with clear hooks for processing requests / spitting out HTML (right there, in the language).
Heck, you can't even write a PHP script that doesn't contain a "<?php" tag.
I'm not saying that bad code isn't universal, but PHP makes it a whole lot easier to do stupid things and not in a Lisp-esque way.
PHP's "magic quotes" feature was enabled by default for many years. This practically guaranteed issues with escaped database strings. (Unless the developer spent more time debugging that it would have taken to do it properly in the first place.)
