The Phacility guys know how to PHP. They used to work at Facebook. I don't like PHP either, but I trust the developers in this case.

Gitlab had its fair share of vulnerabilities, too, despite being written in Ruby. It's about the developers, not the language.

Have a look at their bug bounty program: https://hackerone.com/phabricator