The PHP ecosystem has some really awful defaults which is why it's developed such a bad name for itself. It may be that many of these are there to accommodate misconfigured web hosts, but this behavior has a way of self-perpetuating.
Example: PHP 5.5 will be running for the next billion years because when mysql_query is finally put to rest in newer versions all those applications that depend on it will fall over. Thus, a legacy version of PHP will be supported by hosts, bugs, security holes and all.
"You either die a hero, or live long enough to see yourself become the villain..."
Actually, it comes back to the user, not so much the coder. After I left a job a while back they hired some random as a replacement. The replacement had no Linux experience, so the next best thing for them was to tell the owner to move all software to a shared host (which they had had experience with before).
Everything was written below a public root, but the shared host didn't allow this, so the next thing you saw was: domain.com/publicroot/index.php^ when the new developer took over. The funniest thing was that they had internal subdomains which ended up public as well, one with full customer listings.
"Never attribute to malice that which is adequately explained by stupidity." - Hanlon's Razor
Example: PHP 5.5 will be running for the next billion years because when mysql_query is finally put to rest in newer versions all those applications that depend on it will fall over. Thus, a legacy version of PHP will be supported by hosts, bugs, security holes and all.
"You either die a hero, or live long enough to see yourself become the villain..."
PHP crossed the line from hero long ago.