We presented to our higher-ups a while back about the security of Moodle. One of the main pushing points for security we had was that all input from the user is cleaned in some way shape or form (in some places, it is cleaned a couple times). This prevents SQL injections and the execution of arbitrary PHP code. In addition, ADODB (the underlying DAL) does a little bit of its own cleaning. I'd say for PHP sites, SQL injection and running arbitrary PHP code is probably the biggest overall threat to security. Also, don't forget MySQL security!, that needs to be secure as well. A MySQL with user:root, password:none is probably not a good idea.