In php 5.4, the hole that caused most injections was removed ( www.php.net/manual/en/security.globals.php). So there are gradually fewer of them (as php is updated around the world).
But since the developers did not write better, they will not disappear.

PHP injection becomes possible if input parameters are accepted and used without validation.

Source That is, they are, were and will be until there are those who do not protect the input parameters/data/etc.
Now everyone is targeting XSS, even Google is willing to pay $7500 for a vulnerability.
Here is the mini game - https://xss-game.appspot.com/
Recent post on habr about XSS habrahabr.ru/post/224773

Yes, they do exist. Of course, the developers were sent to pay more attention to data validation, but not all. In addition, PHP injections through file uploads are still popular.

This does not depend on PHP, because PHP does not filter output by default and PDO has a way to write insecurely. Frameworks solve the problem with SQL injection a little, and in order to avoid XSS, you need to filter the output of data from the database and user data.

They are and will be, so you need to check the data.