As AC below pointed out, bad code can be written in any language. I worked for a University of California campus, when UCLA got hacked a couple of years ago, due to a SQL injection attack. Their choice of platform? C#/MSSQL.
Programmers on our own team (C#, MSSQL) wrote SQL injection-friendly code - I can't remember how many times I've caught unsanitized input being put into a SQL query without proper sanitization or "SqlParameter-ization" - people who wrote enterprise-level apps for years prior, and who should know better.
PHP has mysql_real_escape_string, which sanitizes input. I've written my own Ruby-on-Rails-ish helper functions to sanitize input in a less hackish fashion in PHP. There's always a way.
This type of shit will continue to happen until people realize that security in today's web development is as important (if not more so) than programming skill, and stop hiring dipshits without proper screening.