Dodgy CMS
I can second the remark about dodgy CMSes. I have had the dubious pleasure of disinfecting a machine which got infected by a rootkit, thanks to some badly-written CMS software (written in PHP, as it happens, but that's by the by). The problem is related to file upload by HTTP and the way Windows handles permissions. And it's not a problem with PHP per se, but with the way some people (mis)use it.
Every file on a Windows box has execute permission set. (This appears to be a designed behaviour of Windows.) If you do not perform a chmod on it after upload, it keeps its execute bit. (This is entirely to be expected, and any other behaviour would violate the Principle of Least Surprise.) And if you transfer the uploaded file to a directory from which the web server can serve pages directly to the outside world, it becomes a CGI script. (This is a designed behaviour of the web server: on a UNIX system, files with execute set are executed and their STDOUT stream is served up.) In short, by uploading a crafted script from a Windows host using a badly-written PHP script on a webserver, you can execute arbitrary code on the server.
A naïve developer testing PHP scripts on a Linux desktop machine with Apache + PHP installed (a very common environment for pre-deployment testing; always used to be a Windows desktop with Apache + PHP, but it's easier nowadays to get Linux up and running than it is to get Apache + PHP on Windows up and running) probably will not spot this, because files uploaded from Linux hosts usually do *not* have the execute bit set. Furthermore, development systems tend to be on the safe side of a NAT router and so will never end up getting the second half of the exploit (where someone gets in as root using a modified sshd.)
One possible fix would be for the PHP developers to add a third parameter to move_uploaded_file() allowing you to set the permissions on the destination file, and make this default to 644 if absent. Until then, if you're developing scripts in PHP, don't forget to chmod() uploaded files -- and it probably wouldn't hurt to put a .htaccess file in your upload directory, blocking all HTTP transfers from there. (Scripts can still see the directory because they are accessing the filesystem natively, not via http.)
But blaming PHP for this is a bit like blaming Severn Trent for drownings!