In this blog entry Sebastian Bergmann notes a sudden surge of interest from the academi ccommunity about PHP.
At least with regard to using static code analysis to automatically detect security vulnerabilities in PHP applications.
I started to collect links to scientific papers on this subject here.
So far, he's already gathered a few - two from Pxy, one from Stanford, and another from the Secure Systems Lab (at the Technical University of Vienna).