"One of these things, is not like the others, one of these things is not the same..."
No, there's nothing "mythical" about bad PHP security. At the point where there is a two order-of-magnitude difference between PHP and Python/Perl/Ruby, I stop even really caring about the "why". PHP may be popular, but it's not that much more popular. (And even if you want to say that PHP is two orders of magnitude more popular, well, not all Python/Perl/Ruby vulns are web-related, either.)
Well, all those bugs seem to be related to apps written in PHP but not related to PHP itself - other than at some places making it confusing for beginners to know what to use.
And if there are many bugs in apps this is also correlated to the fact that there are a LOT of apps but not enough good developers... ;)
I like this quote about PHP: "HP is just this piece of shit that you just put together—put all the parts together—and you throw it against the wall and it fucking sticks." (Terry Chay)
Ok.. nice way to leave logic at the door, but it's not just that PHP is more popular. It's that it's been around longer than Python and Ruby. That list goes back a decade for PHP.
Anybody using PHP seriously in a production environment is also using Suhosin and PHP is secure enough at that point to just be a consideration and not a problem.
No, as documented by others, it is that PHP has a long history of virtually begging you to put security vulnerabilities into your app, then jerking you around with crappy fixes, which interact poorly with other crappy fixes. As far as I am concerned, I can't afford to use PHP, because the community has a long, long, long history of claiming X is secure when in fact it is very, very not. ("No, really, we got it this time!") I have no reason to trust your assurances that no, no, really, really, it's all right this time, if you add this thing that I presume is not a core app and tweak it right and... no, thanks. The PHP community has no credibility left on that front, hasn't had it for years, and I've not seen some burst of skill lately that convinces me any differently.
PHP's four years younger than Python and a year or two younger than Ruby. Age is no excuse for its security problems -- nor is the No True Scotsman fallacy sufficient to wave away its flaws.
http://osvdb.org/search?request=Python
http://osvdb.org/search?request=Perl
http://osvdb.org/search?request=Ruby
"One of these things, is not like the others, one of these things is not the same..."
No, there's nothing "mythical" about bad PHP security. At the point where there is a two order-of-magnitude difference between PHP and Python/Perl/Ruby, I stop even really caring about the "why". PHP may be popular, but it's not that much more popular. (And even if you want to say that PHP is two orders of magnitude more popular, well, not all Python/Perl/Ruby vulns are web-related, either.)