In any programming language a number of trade-offs have invariably been made, but it is the sacrifice of security for power is generally the one that incites most discussion. Put simply, if PHP is configured to operate in a trusting manner, users with access to it can abuse the system in any number of ways. Whether it is writing scripts that chew up enormous amounts of CPU times, or perhaps access files that are not theirs, or maybe even using it as a diving board into a denial of service attack - the possibilities are endless. If you find a user on your server who has scripts that are taking up enormous amounts of resources, it is smart to keep in mind Hanlon's razor: "Never attribute to malice that which is adequately explained by stupidity". That is, your user might just be a bit clueless and need pointing in the right direction - why not tell them to read this book? </CHEAP_PLUG>
In a web-hosting environment, there are two distinct situations: either users have a shared server, or they have a dedicated server. Proponents of user-mode Linux (UML) would argue that UML is a third alternative, but the results are generally the same - it is a shared server.
When users have a dedicated server, web host sys admins are not likely to care how lax the owners set their servers to be, because, after all, if they write scripts to chew up 100% of the CPU time, it affects no one else. However, when PHP is running on a shared server, a great deal of care needs to be taken to ensure that access to it cannot be abused.