I dunno, PHP seems to have a lot of foot-guns.

include $_GET[...], register_globals, magic quotes, extract($_REQUEST), weak comparisons, loose typing, eval, risky file upload defaults/patterns, preg_replace /e, dangerous deserialization gadget chains, path traversal into includes, and the whole "URLs can be file paths" abstraction...

PHP is basically "RCE-as-a-Service" as far as I'm concerned. Allowing a URL in any function that wanted a file path was an absolutely bone-headed design choice. They made `curl | php` a language feature.