While there are some features of PHP which are inherently a bad idea (register globals for example) these are, for the most part, deprecated and removed in the most up-to-date version.
I agree with other views that it is the programmer's code that is insecure, not the language itself.