I CAN tell you why PHP 3.x and 4.x were used in a lot of projects with security problems. I've made many posts here going into detail. The biggest thing was probably autoglobals. That was insane for a WEB language, even one then intended to be easy. It might make sense for local macros (vbscript) that are supposed to be written by non-programmers.
If you combined few of PHP 4.x blind spots with stupid Plesk running the script via suexec, you either found out you quickly got owned, or more often got owned and didn't even know it.
PHP really sucked in terms of security and there were several very clear reasons for that. Some will say even old PHP could be used to write secure software. Nope, not with the default PHP.INI configuration. Even a blank, empty PHP script contained a significant security risk.
Things are MUCH improved. People who actually know something about language design have gotten involved. Rasmus has said publicly that he doesn't know anything about language design and early versions of PHP proved that. Of course, he wasn't originally creating a programming language, PHP was a CMS, written in Perl. It was ABused as a general purpose programming language, and it didn't do a good job in that role, because it wasn't designed for that role. The newer versions ARE designed as a general purpose web programming language, and they are much better suited to the task.