Attacks against WordPress installations

Agree completely. PHP can be made somewhat secure (by disabling stuff like register_globals and allow_url_fopen, and making sure that no directories are writable by Apache) but other languages seem much more secure.

Java (with Tomcat, Glassfish, etc) does seem to be gaining. That should help a lot.

Same with Python, with Django & such. And of course Rails.

I work in a managed web server environment, and I see PHP cracks all the time. I don't recall personally seeing any of the alternatives cracked.

Another idea that I think makes tons of sense for this kind of thing is privilege separation at the database level. Why does the application's DB user have full rights to the database? The answer is simple -- so it can integrate the admin interface and upgrade features, etc. But that is stupid. IMHO the user-facing Apache's DB user should have as few privileges as possible. Admin should be done another way, with a dedicated DB user for that, maybe connecting from a desktop application at the client's end (with appropriate firewalls in place to be sure no one else can attempt to connect). Maybe less convenient but MUCH more secure.