Choice of framework is not that important. The real problem was (and, judging from the article it's still not fixed) that his server has write access to directories it can execute code from.
I mean, this is a classic example of badly configured filesystem permissions.
This is one of the things that scares me about deploying PHP apps. I'm being asked to take over hosting a couple of Joomla & Wordpress sites at work, and find it terrifying that they both ask for permission to install php scripts. I much prefer having a clear separation, but it seems that that isn't really an option.
Yes, PHP has weaker security but fast implementation because it allows direct database access from the front pages. There are a lot of discuss about it. I always disable PHP on the HTTPD to avoid potential issues.
I mean, this is a classic example of badly configured filesystem permissions.