Well,
in 2006 PHP accounted for 43% of identified security issues on websites. It certainly has gotten better since then, but the potential for misuse is still there.
This article also gives a nice overview of the problems.
Some of them aren't specific to PHP (validating user input for example) but hit PHP hard because of it doesn't enforce standards. There are also PHP server settings like
global variables that can be mis-set if you don't pay attention.
Here is a list of PHP related security articles that are worth a read. And
this thread has an interesting discussion on PHP security. Yes, I hang out at LQ a lot.
Basically, PHP is pretty easy to learn, and a decent web stack isn't hard at all to set up (heck, there are a bunch of pre-packed ones like WampServer out there) so a lot of newbies can start tackling making their own web sites. But what is missing from almost all these discussions is the issue of security. If you're putting something on the web, it is going to be attacked, period. And unless you've taken steps to control access, monitor the state of the server, and have the ability to detect and recover from a breach, you have no business operating a web server. If you just slap something out there, sooner or later it will become a spam-spewing zombie and poorly coded PHP apps are one of the major vectors for turning those shiny servers into zombies.