My subjective opinion is that everything depends on the popularity of the language.
PHP is more popular and more poking around and finding more. Although it is possible that they find the same amount, it’s just that everything is scattered faster and faster among those people who are interested in it.
I do not think that if PHP was so full of holes in relation to ASP.NET, then the same social networks would not be written in PHP.

Not interested in this issue. Until the experts write, I will leave my opinion. Wrote both on that and on that, it is more on ASP.
It seems to me that the difference is not in the security of the platforms as such, but in the paradigm that they impose. It is possible to write not safe, as well as safe code, both there and there. But in modern ASP.NET, many of the checks are taken over by the platform, many things are taken into account, all tutorials and examples use methods and classes, built-in attributes (like the default ValidateInput) that hide many standard checks, etc.
For example, such a simple thing as SQL injections (I don’t know if there are still places where they are found) In ASP.NET - when using ORM - there is no problem as such, when using regular queries - everywhere (starting with any tutorials for dummies) it is recommended to use parameterized commands (it seems to me that I even once saw warnings from the studio or some kind of tool in the kit), and so on.
In pure PHP, you can also write good and safe code if a person knows what and how he writes, just in my opinion modern frameworks like Symfony and Zend also encapsulate part of the filtering and validation work.
Plus, there are more sites in PHP and the difference in the quality of their writing is huge, from social networks to pages of self-written online stores.

Depends on the specialist who created the project.
It is more correct to compare frameworks for PHP and ASP.NET MVC. PHP itself is just a language like C#, i.e. it is inherently vulnerable, just like C#. But in frameworks, most language security issues have been resolved.
As far as I know, both there and there there is protection against XSS, CSRF, SQL injection, the main question is whether the programmer used them or not.

Comparing interpreted and compiled languages ​​is somehow generally initially incorrect in my opinion.

because a lot more projects are written in PHP.

PHP is a language and ASP.NET MVC is a framework. They cannot be compared.

As already noted here, PHP is indeed a language, and ASP.NET MVC is a framework, so it would be more correct to compare it with some kind of PHP framework.
But if you answer the question in this particular formulation, then indeed in ASP.NET MVC they tried to make it as safe by default as possible. There are a lot of security features that come out of the box.