I think that is part of it yeah. The fact that PHP is used in web development and is at first glance a relatively easy language to pick up means that a lot of people came to it from a design/front-end developer perspective. Even if you're a designer who has never really programmed anything before it is relatively easy to make changes to- or write new server-side code that "works", but it can lead to codebases written by people who lack good fundamentals of software engineering and security best practices which especially for public-facing websites can be dangerous.
This was arguably a bigger problem in the old days of PHP when the default installation of PHP had some very questionable security practices (e.g. magic quotes and register_globals defaulting to on in PHP 4) and when the built-in MySQL API did not yet support prepared statements meaning you had to manually sanitize/escape your queries to avoid SQL injection vulnerabilities (this was improved when the mysqli API was added in PHP 5, though the old MySQL API remained available and I suspect a lot of people continued using it unfortunately).
Good point. PHP’s ease of use can also be its downfall sometimes.
I know security was a common issue with PHP, but I’ve been encouraged to see the core team putting more effort in that area like the MySQL extension being removed in 7.0 or libsodium being added to 7.2.
We’re a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.