That's speculation. I've seen servers get compromised due to FTP problems, SSH misconfiguration, unpatched Apache vulnerabilities, third-party stats monitoring software with 0-days and even SQL injection.

Defacement (I consider malware injection a form of defacement) isn't unique to PHP by a long shot.