Keep in mind that perhaps a majority of wordpress.org sites that have been around for a year or more have been hacked in some fashion at some point, and that the reason is because PHP encourages the kind of terrible code and unsafe-by-default environments that make this possible.
Edit For example, I am thinking of how various templating languages, including Jinja2 (for Python) default to auto-escaping strings you're echoing, but with PHP, you by default have to explicitly think about it and call `htmlentities($x, ENT_QUOTES, 'UTF-8')` all the time.
> WordPress sites get hacked because the owner fails to update the platform
Why are the updates even necessary? If you are still on Rails 2.3.8, you aren’t getting hacked just because you didn’t move to Rails 3 yet. But the situation with Wordpress & its ecosystem seems waaay less secure by default.
> This can be said about any platform, regardless of the language.
Edit For example, I am thinking of how various templating languages, including Jinja2 (for Python) default to auto-escaping strings you're echoing, but with PHP, you by default have to explicitly think about it and call `htmlentities($x, ENT_QUOTES, 'UTF-8')` all the time.