expose_php=off
I wonder how many installs run expose_php=off in their php.ini, therefore hiding the PHP version and mucking up these stats? As people have said, the latest three (5.4/5.5/5.6) PHP stable releases have all had security fixes, but the researcher claims that they're now magically "secure"? Er, they've just had a few security holes removed from the likely hundreds they still have!
Better research might have determined exactly which PHP versions have a proof of concept/active exploit that is deemed serious and then list the percentages of sites running those versions.
Biting the hand that feeds IT
