I think legacy code in any language is a security nightmare; not just PHP. Imagine a half-a-decade-old NodeJS project...

5 years old? Really?

Or do you just mean because of the crazy dependencies in a typical node project?

5 years if things are not updated will have vulnerabilities. It might be that framework updates will fix them, or code changes needed, or code changes because newer versions of libraries are not backward compatible. Getting old NPM projects updates is hellish. Breaking changes are very common.

This is definitely true, but PHP is a special nightmare of a beast. I think overall PHP is underrated, and is a much better language and platform than people give credit, but damn two weeks without updating dependencies in PHP is rolling the dice. Keeping up with all of the cve's is a significant chunk of a full-time job.

Old code does not develop vulnerabilities by sitting around.