Are you aware of any analysis as to the extent that is actually true, ie for distro X or Y which patches really have been backported and which are skipped?
Yes. For most CVEs, the major distributions do backport fixes. They don't however backport all security fixes.
For example, there was a bug in crypt's bcrypt implementation which would cause collisions for certain classes of passwords (specifically those with characters with high bits set). The fix in 5.3.6 was to add a check into the normal $2a$ implementation, and to add $2x$ (legacy) and $2y$ (proper implementation). So when using > 5.3.6, you can enforce proper behavior using $2y prefix to crypt. CentOS backported this into their 5.3.3 version. Debian did not. So from a security standpoint, we now how a divergence between the two.
I wonder how much your "% of installs that are secure" statistic could be inaccurate due to most (I'd hope) sites that care even slightly about security suppressing the Apache header PHP version information.
Absolutely. The analysis is only as good as its data source. There are other people looking at other data sources (httparchive for one) to try to get more data for it. But ultimately I had to go with what I had.
I suppose there are also questions as to what "insecure" means in practice.
Well, perhaps insecure is an extremely misleading term in this context. Vulnerable would be better. Yes, an attack vector may not exist, but the vulnerability does. The reason this is important is that today you may not be using unserialize() on user input, but that doesn't say you won't tomorrow. The hole will exist, the vector would be what's created.
Check out my slight elaboration on this in this comment