@Bass: buffer-overflows aren't there in PHP or .NET, but that's not to say that developers accessing indexes beyond array-limits aren't. It's just that the framework says "developers are going to do this wrong, no matter how much we shout at them to do it right. Therefore we will always check - and when (not if) they get it wrong, we'll avoid totalling the security of the user's system - we'll throw an exception instead".
In fairness, C/C++ only have buffer-overflows because they're old, and the language is pointer rather than object-orientated, which makes retrofitting security kinda hard. Any modern language that allows developers to construct buffer-overflows in it is really pretty lame, so PHP not having them is not really anything to be impressed with.
Language and framework developers should always assume that developers are rubbish - that way life is fine and rosy when you unexpectedly get a fantastic developer, and life isn't so bad when you get a rubbish one.
My point wasn't "ohmygosh PHP is TEH SUCK", it was that PHP encourages some bad design decisions, whilst making good design hard to do. The lack of OO until PHP 5 being a case in point - or register_globals being on by default. Sure you can make PHP secure, but you have to work at it. This is in contrast to C# ASP.NET - where you can make it insecure, but you have to work at it.
And for the record, I prefer "software security". "Cybersecurity" is a BS word invented by politicians and the media who want to combat teh-haxxors but don't really know how. "software-security" is about making software better, not just safer.
