Indeed. Yet it appears we are afflicted with lazy malware authors who continue to use deprecated APIs instead of updating their exploits.

To be serious: According to the article, the call to preg_replace() was part of the backdoor added by the attackers, it wasn't a pre-existing hole in the site code.

From the perspective of an attacker it doesn't really matter if the malicious code contains deprecated things or lacks elegance or is generally ugly.

You can configure your server to log usage of deprecated features in PHP so that the attack would ultimately appear in the log. Admittedly, it would still take a pretty vigilant Sys Admin to catch it.

True, but most value hosting platforms run anything between 5.2.x and 5.4.x. with no option to upgrade.

Read: deprecated. Stop acting like it's removed in 5.5.