As much as I want to defend PHP a bit as a PHP coder who at least _tries_ and is kind of sick of the pile-on (while understanding the rationale), I'm reminded of the thousand odd reasons that PHP sometimes makes me just want to cry into my coffee.
I think it's both bad code and PHP.. specifically bad code written on old versions of php on crap shared hosts where that's the only server-side language available. It should be harder to write insecure code with PHP but it isn't. A language whose entire purpose is to process requests and return content should have security baked into its core. I shouldn't have to wake up one day and find out that "oh, anyone who adds an ?-s flag to their queries can maybe read your source code or whatnot." Now granted, it wasn't that common, but it should never have existed. PHP may not be the great evil some claim it is but there are parts of it that jump out of the dark and bite you, no doubt.
The security vulnerability occurred because of Rails models' mass attribute assignment, which you wouldn't have in a less dynamic language. So yes, that's a problem at least partially attributable to the language.
This is a PHP bug: http://www.networkworld.com/news/2011/010511-php-floating-po...
Everything else? Bad code.