That true, but also consider that the especially idiotic "register_globals" has been disabled in PHP for many years. If people are still enabling that manually, it is solely because they use very outdated scripts which depend on this. Then, however, the real problem is relying on those crappy old scripts, and not the usage of PHP itself.
On the other hand, there's still other stupid stuff like "magic_quotes_gpc" that has only recently been deprecated.
For new development you should disable all legacy/noob options, enable all error reporting and use PDO with prepared statements.
If you have application that relies on register_globals or magic_quotes, you can assume it's vulnerable. PHP allows enabling these on per-directory basis, so at least you can somewhat isolate the legacy code.
On the other hand, there's still other stupid stuff like "magic_quotes_gpc" that has only recently been deprecated.