Indeed. Yet it appears we are afflicted with lazy malware authors who continue to use deprecated APIs instead of updating their exploits.
To be serious: According to the article, the call to preg_replace() was part of the backdoor added by the attackers, it wasn't a pre-existing hole in the site code.
You can configure your server to log usage of deprecated features in PHP so that the attack would ultimately appear in the log. Admittedly, it would still take a pretty vigilant Sys Admin to catch it.