Personally, I blame the MySQL team for nightmares like phpBB and vBulletin. After all, mysql_query is still available in the language, despite being at fault for a staggering percentage of PHP application security flaws. The PHP folks have at least finally deprecated it in 5.5, and theoretically it will go away in the future, though at this point it is so ingrained that when they do, most folks will just reimplement it using a template-based query, but with no template fields, and we'll be in the same boat as we are now.
In an ideal world, that function/method should never have existed in MySQL to begin with. But even if we accept that it was unavoidable, the function/method should have been removed from MySQL a decade ago, because even way back then, it was obvious how flawed an API it is. Had they done so, it wouldn't have continued to exist in the PHP bindings, because it wouldn't still have been in the library.
The rest of the security problems with PHP are, as far as I can tell, pretty much comparable to any other language—improper quoting of content for use in various aspects of HTML output, cross-site scripting bugs, etc.
BTW, if you want a PHP bulletin board that's more sane, check out JaxBoards, and grab my fork where I rewrote every single database call to use template-based queries. It's a fairly clean design that separates the presentation from the core to a significant degree, and whose database code is fairly straightforward. If you spot any security bugs that I haven't already fixed in my branch, let me know.