The Symfony2 core team takes security issues very seriously; we have a dedicated procedure to report such issues, and the framework itself tries to give the developer all the features needed to secure his code easily. Thanks to our successful community donation drive, SektionEins performed a security audit on the Symfony2 code earlier this year. The audit is now over and the good news is that the Symfony2 code is pretty solid; only minor problems have been found. They have all been addressed now
Their findings included things like the Request component trusting certain headers, bad regex validation on datetimes, password encoding issues, cookie handling and exception handling issues. Links to the fixes for each are included in the post.