I see your point with the security risks of using php and other web applications which open up loopholes in the webmasters control panel. However I think that many hackers still use the “old” methods of phishing, i see this type of scam almost daily in my email and its usually for my paypal account or something similar, however i have been getting some emails targeted towards my actual website/control panel.