A lot of people do not believe that PHP (the web-based programming language) is inherently insecure. Yes it is!
I've had a conversation with a co-worker a while back in which he told me, "Oh, no. It is secure." Umm... No. It is not.
PHP trusts every input you pass through it. This includes global variables or URL parameters. It does not automatically escape code or even knows to check for escapes. It will allow you to display direct locations to files or resources on your site. These are dangerous and could lead to MySQL injections and worse.
So, when someone tells you that PHP is secure by default, you'll know they have no idea what they're talking about.