security

A friend thought that updating to the latest version of PHP would "automatically" provide much better security. I'm skeptical.

I've heard that most of the "unintentional" PHP security issues over the past 2-3 years were only a risk if you were accessing PHP from the local file system (not via Apache). If somebody's already on your filesystem you're going to have problems regardless of the PHP version.