A friend thought that updating to the latest version of PHP would "automatically" provide much better security. I'm skeptical.
I've heard that most of the "unintentional" PHP security issues over the past 2-3 years were only a risk if you were accessing PHP from the local file system (not via Apache). If somebody's already on your filesystem you're going to have problems regardless of the PHP version.
My greater concern is when one intentionally has register_globals or other known security issue turned on. If code isn't open source, it mitigates risk, but having register_globals on is by far PHP's biggest exposure, in my opinion. Register_globals functionality will be completely gone in PHP 6, so one will have to wean away from this sometime.
One's code also should withstand SQL injection or other attacks, which a simple upgrade of PHP will unlikely do much about.
In general, improving your coding style (ex. sanitizing user input) will better security payoff than believing the latest version of PHP will save one from himself.