People condemn languages for two security reasons: the average level of competence in products usually written in a language, and the amount of footguns a language provides.

PHP is very easy to learn, which is why a lot (really, a _lot_) of open source software is of very questionable quality. For many, it's the first programming language someone learns, which means the quality is often far from what a developer is capable of with a little more experience.

PHP also has a lot of weird functions and behaviourisms, all perfectly well documented (but nobody really reads up on the details of `isset`, it seems). APIs seem inconsistent and mysql_escape_string and its cousin mysql_real_escape_string tell a story of a problematic history. There's also the typing issue that plagues all loosely typed languages.

I personally consider Go to be more secure of a language than PHP or Python because the behaviour is a lot easier to understand.

Of course properly written, typed, well-tested PHP can be a lot better than many Go products, but the expectations for the different language are just different because of the different levels of experience programmers are when they start with each language.