The problem with Java and PHP is mostly bad stdlib design although in completely different ways (PHP also has some weird footguns about equality but those are avoidable).

PHPs stdlib is of the "stickball" variety - they just started adding to it with no style guide, which has resulted in very inconsistent naming, poor rules and lots of security issues that they for ages had to fix with workarounds since people coded against the security issues as if it was correct implementationwise.

Java suffers from an overly interfaced stdlib; the stdlib pretty much only contains standards on how to do something rather than actual implementations. The result is that the default values in the stdlib are ancient/unsafe and also aren't amended, so you don't break compatibility with older Java APIs.

Basically both have too much low quality code in their stdlib which propagates out into bad library design (since the quality of the stdlib tends to the rest of the ecosystem - see how javascripts absurdly barebones stdlib led to it accruing thousands of microdependencies).

PHP has a lot more of C++'s "All the defaults are wrong" disease than Java does, which can matter for security because if there's a security default, in PHP it's probably wrong unless you fixed it.