FLOSS Weekly had one of the lead OwnCloud devs on recently. Of course, he was asked ‘why PHP’. Answer: to make it possible for as many people to deploy it as possible, on commodity shared hosting (or anything better they might have).
There's basically nothing that can achieve that level of deployability besides PHP.
Hearing that reasoning helped me with some of the concerns I had about its implementation language. It sounds like they know what they are doing, and are very careful (including careful code review), they just want the software to be as widely usable as possible.
I'll say to their credit that at least they're serious enough to publish security advisories.
Some of these errors just shouldn't be possible in a well written code base, though. I would never run OwnCloud on my own servers, or use it to store anything remotely sensitive.
There's basically nothing that can achieve that level of deployability besides PHP.
Hearing that reasoning helped me with some of the concerns I had about its implementation language. It sounds like they know what they are doing, and are very careful (including careful code review), they just want the software to be as widely usable as possible.