If you ask me, mixing presentation and logic is the core of most web development. They just missed a lot of opportunities for sanitizing data.
I also don't see how PHP goes 'out of its way'. It doesn't do anything, neither do most other web languages, you build or use existing frameworks and libraries to help with such tasks.
I personally think PHP it blurs the line between a language and framework. The "framework" part is the 20,000 builtin functions and the mechanism it provides for executing code as part of a dynamic web request.
In any case, my intent wasn't to compare Django to PHP, it was to point out that PHP's default way of outputting things really does make it inconvenient to write secure code - hence answering the parent post that argued that poor security had nothing to do with the language used.
You are comparing apples to oranges. Django is a framework built on Python. Python doesn't provide anything to escape strings. I'm sure there are also PHP frameworks and templating languages which make this very easy.
I realize I'm playing devil's advocate because I love Python, but you shouldn't put blame nor give credit where it isn't due.
I've used this exact function in my own code, though I call it "h". Really sucks that we have to do this - not to mention that PHP's global namespace for functions means it's better to have long names that are more likely not to clash with third party code.
You can't write code for redistribution like that though as most PHP installations have that option disabled since ti inteferes with XML processing instructions.
I also don't see how PHP goes 'out of its way'. It doesn't do anything, neither do most other web languages, you build or use existing frameworks and libraries to help with such tasks.