In my personal opinion, the most horrible framework is Drupal. I did some testing and found that for a single page which showed 15 items from the database, Drupal needed 418 database queries. I also think that the hooking system is really bad. It's a failed attempt to implement OO features without actually using OO. If one page fails to load (due to a syntax error), all other pages that have hooks in that page also fail to load. Also, it's code structrure and the code itself are a big mess. You might wonder what this as to do with security? Well, everything. Bad security is caused by bugs, which are caused by making mistakes, which is caused by not having the right overview of your code. Drupal's code mess gives you a hard time while trying to get that overview. Drupal is dangerous. My advice: stay far away from Drupal. To prove my point, look here
I've heard good things about CakePHP. It has a nice MVC design (which Drupal also lacks) and is very well documented. Secunia only gives two advisories, which are dated from 2006.
Nevertheless, for my own websites I use my own framework, called Banshee
. It has a strict MVC design, uses XSLT for the view, has a secure (of course) database library, some simple CMS features and ready-to-use libraries for HTTP, e-mail, pagination, etc. Big con of my own framework: it lacks documentation. I'm too lazy (or too busy with other things) on that point.