All of that said, for any given organization the languages that are probably the most secure are the ones the developers are most comfortable writing code with. Forcing a PHP developer to write mvc.net code because you feel it is more secure is a mistake and will buy you nothing but a longer development cycle. (exception – if your coders still swear by CGI you really are better off forcing them into something invented in the past decade even if they will have a learning curve. You probably shouldnt’ have let them be so resistant to change to begin with).
My exception to his exception: someone who can program secure C code for a CGI-based web site is probably a valuable developer. The problem is, (s)he is going to be dang hard to replace. The value in forcing your development crew to stay current with technology – at least, not five “cool frameworks” in the past – is that eventually you’re going to have to hand that code over to somebody else.
And the likelihood that their replacement can write secure C code is very low. It’s really easy to shoot yourself in the foot with C.