It depends on whats being hosted. If you're dealing with legacy apps that were built in the PHP 5.2 or even PHP 4 days, be afraid. Be very afraid.
If you're dealing with more mainstream PHP apps like WordPress or Magento, its important to stay up on the core updates but also monitor the plugins and templates being installed. The majority of the attack surface on those apps is in the plugins because they're almost never audited.
As for modern customer apps, written in frameworks like Laravel or Symfony, you're usually fine. Those frameworks are on par with Django and Rails in being very hard to shoot yourself with.
> legacy apps that were built in the PHP 5.2 or even PHP 4 days, be afraid. Be very afraid
BS. Most PHP4 code runs just fine, as do PHP5 code. Almost no one used object oriented code in PHP4 days (it was slow!), so the incompatible changes aren't a problem. And all you need to do is to search and replace some function names like mysql_* to mysqli_*. Most old code bases from PHP4 days also didn't rely on frameworks at all and were completely written from scratch or copy&pasted together - actually an advantage in this case.
Upgrading an old Python or Ruby code from 1.x/2.x days is a lot of more work (as it always includes upgrading to a recent framework version) than upgrading from PHP4 or PHP5 to PHP7.
If you're dealing with more mainstream PHP apps like WordPress or Magento, its important to stay up on the core updates but also monitor the plugins and templates being installed. The majority of the attack surface on those apps is in the plugins because they're almost never audited.
As for modern customer apps, written in frameworks like Laravel or Symfony, you're usually fine. Those frameworks are on par with Django and Rails in being very hard to shoot yourself with.