security is not about language.
its all about validate. & i think php have already proven for building web application more over for enterprise application.
my response about opensource related security.
this is plus minus.
that all source coude can be read by public might be for attacker to see vulnerability
but for community its also use full for getting hot fixed & other security issue that are popular now