I agree that the platform is only as secure as the application, but ASP.NET does provide some security checks that AFAIK PHP does not by default. For instance, ASP.NET prevents XSS attacks by default by detecting html in form inputs, and throwing an exception when they're present. Also, things like forms authentication and the new User Validation controls prevent you from re-inventing the wheel - but the wrong way...