One of the most important things that's about to happen for PHP security, is deprecating the 'mysql' extension[1], which doesn't support prepared statements.
Forcing cheapo web hosts to enable mysqli or PDO will hopefully help a great deal.
I just think they should have added E_DEPRECATED warnings in 5.4 - but I see why they didn't.
It's nice that it's generating warnings now, but the best thing for the community would be to completely remove it. It'd be better to answer questions about "Why doesn't my code work?" than "How can I fix my (horribly insecure) app?" where they're not even concerned about the security issues.
PHP 5.5 will produce warnings when using mysql_query. It's a small step forward.
Forcing cheapo web hosts to enable mysqli or PDO will hopefully help a great deal.
I just think they should have added E_DEPRECATED warnings in 5.4 - but I see why they didn't.
[1]: http://news.php.net/php.internals/53799