I've done PHP development for over 20 years, including some pretty large projects. I've never had a situation where a security flaw in PHP itself forced me to scramble to patch something before it got hacked.

On the other hand, for my Linux servers, I had to do that twice in the last month with CopyFail and DirtyFrag.