It's one of the main reasons that frameworks exist today. 99% of DEVs are not security conscious enough, and would leave gaping holes in their code. No input validation, SQL injections, trusting data posted to code without validation, on and on.

If you were continuously hacked no matter the update, likely the code was the issue not PHP. Or of course, your servers were backdoored at that point.

A framework often protects from much of this.