As for "Secure by default". PHP can be perfectly secure. PDO supports parameterised queries, and was first available in PHP 5.1, which shipped just short of SIX YEARS AGO. Even mysqli supports parameterised queries, and that shipped more than SEVEN YEARS AGO.
If you're using the ancient mysql extension (i.e. the mysql* functions) that is YOUR FAULT, not the fault of the language.
As for "Secure by default". PHP can be perfectly secure. PDO supports parameterised queries, and was first available in PHP 5.1, which shipped just short of SIX YEARS AGO. Even mysqli supports parameterised queries, and that shipped more than SEVEN YEARS AGO.
If you're using the ancient mysql extension (i.e. the mysql* functions) that is YOUR FAULT, not the fault of the language.