I totally agree with your comments on PHP versions. Projects should not support PHP versions that are no longer officially supported by PHP. It dissuades people from upgrading and as you say, damages the entire ecosystem.
Once official PHP support for a version is dropped, so should project support.
I think that minor versions of projects (or major versions of software with rapid dev cycles) should start with a minimum of whatever PHP version is oldest current and stay with that for its life cycle. Hence if Drupal 8 where to go gold today it would support PHP 5.5 until 8.1 is released.
It is all of the other sites sharing on the same server who need to be afraid of those not upgrading as not upgrading produces a potential security hole on the server.
No wonder WordPress has such a bad reputation if 90% of installs are not up to date.
I used to work at a web agency who didānt care about upgrading unless the customer directly paid for the upgrade. So instead we used alot of time to fixed those sites which got hacked WITHOUT the customer paying.
It doesnāt matter what developer you are, this is a general ādeveloper commandmentā I believe in.
A lot of times too, especially helping on the Internet, you might try and help someone, only to learn, you arenāt quite right yourself. So you also end up learning too. I think, as a developer, being humble in knowing that I donāt know everything, is also important. It is actually another commandment.
āThou shall always be humble and never think thy knowledge is all encompassing!ā
The other commandment from Bruno could be
āThou shall always help the lesser knowing developerā.
You can not directly criticize PHP. PHP is an open source language and you can learn form the internet, there are thousand of tutorials are available. You can make PHP secure by powerful scripting.
PHP is a very popular language, because it appears to be simple to learn. There is a lot of tutorials out there, but (as already said) most of them are outdated or lack security considerations.
I think, the major problem is not the core. The main problem are the old versions on small servers running, because the admins are big hosting companies and they do not want to explain to the user why a specific script can not run.
A lot of PHP programmers do a lot of coding in their free time and security has always been a pain in the a**. You can break things really fast, if you donāt know what you do in the update process.
PHP (like other server technology) is open to attacks from all over the world, this fact must be emphasized on the main PHP help pages.
To fix this, we have to:
provide best practices for novices (escape input / output, check input boundaries etc.)
provide anti-patterns
encourage big frameworks to move to newer PHP versions and drop old version support