I actually clicked on several of those failed tests and there doesn't seem to be anything critical there. Looks like some access problems (test setup) and at least one needed the test to be updated.

I'm not sure when these where run but it would be easy for someone went through all of them and give them a pass. A failed test doesn't necessarily mean that deployment should be held up. 700 failed tests is a different story.

> JS doesn't have all these other problems, though.

JavaScript has plenty of it's own problems. It has legacy things you should never do. PHP has different problems (not necessarily worse ones) and things you should never do. Lists of the horrors of PHP generally include all things you shouldn't ever do mixed together to make it look much worse than it really is.

I've seen similar lists made for JavaScript (you can get some really crazy results) but that doesn't mean shit for day to day use.

The fact that the tests would be easy to fix makes it worse, no better. The problem the tests and the security hole was not that the tests indicated severe problems, but that all these simple failing tests masked the presence of a new, serious failure. If your test output is filled with junk due to failing tests because of minor bugs, it makes it much harder to notice when your tests uncover a major regression.

> The fact that the tests would be easy to fix makes it worse, no better.

Somebody has to fix them; these things don't happen instantly.

Given the fact that they had hundreds of failed test cases and now they only a few is a significant improvement -- and this is while development has continued. They realized the problem just as you describe; there isn't much more to say about it except they're working to fix it.