Instead of screaming about the blatantly obvious (if you leave your PHP misconfigured, it will be vulnerable to people who can upload scripts), I'd recommend you direct people to the authority on the matter -- that would be the PHP team. Their documentation even contains a section on PHP's Security considerations. Particularly the user-contributed notes are of interest.