Before claiming that a stereotype is false, please be sure that it is. Looking on secunia, PHP 4.3.x
has had 4 security advisories this year, of which one is still unpatched. (A remote information exposure bug.) Last year they had 5 advisories of which one is still unpatched. (You can locally hijack port 80.) All of these bugs affected all operating systems that PHP is on.
In that time Perl 5.x has had one security hole, which is now patched. That was a buffer overflow bug in the Windows version of stat.
From that I'd say that PHP really does have a security track record that could legitimately cause concern.