PHP is under increased security scrutiny, which comes as little surprise.
PHP is a dynamic scripting language, and a favorite tool of hobbyists (think “personal home page”). Plenty of folks start open-source projects using PHP, those projects become popular for their ease of installation and use (think Mambo), and few pay attention to the cross-site scripting holes and the like until long after businesses decide to employ their use.
It’s not inherent flaws with the language per-se, but instead the effort PHP is going to have to make to get out of the “script kiddie” arsenal. Is this an opportunity for someone to set up shop doing nothing but fixing holes in PHP-based applications, or is the world going to wait for the open-source workhorses to find them themselves?