Report of top 10 web vulnerabilities - Q4 2007 states that 29% of vulernabilities are attributable to network and infrastructure, while 71% are attributable to both open source and commercial web applications.
PHP represents 30% of all vulnerabilities. Ahem. I have mentioned this before and I still think PHP is a majorly hacked platform because people think it is "easy and cheap" and well, yes, until you get hacked. That's not to say PHP cannot be secure. It's just that the relative ease of tacking together an application that can be blown over in the wind makes it attractive for use by people who want to think they are programmers without understanding the underlying fundamentals of programming, software, web applications or security.
But then, there are many other serious applications, vendors and open source tools that have been hacked on the top 10 list, such as the #1 issue - OpenSSL - a technology meant to encrypt your data in transit as a means of security.