Yesterday I participated OWASP meeting, were one of presentations was about security in PHP frameworks.
Conclusion was that although Yii claims "security is the standard", it lack a little bit of code reviews, audits, keeping track of discovered PHP vulnerabilities, etc… Compared to Zend or Symfony, which in past year provided 4-5 critical patches (among others for XXE/XEE attacks which are possible due to standard XML handling in PHP), Yii did not responded to such problems (forum which should also hold security advisories only tells about new releases, where others put much more effort to inform users about vulnerabilities and to remove them from framework: http://symfony.com/blog/category/security-advisories).
Yesterday I checked WebServices code in Yii and I must say - Yii is vulnerable to XXE/XEE attacks through webservices. I will try to provide patch soon for that (in fact based on similar patch in Zend)…
Anyway - my thought was that in Yii project there is no-one responsible for such process of continuous improvement and relaying only on community and their bug reports can cause much harm to Yii picture. Teams responsible for Zend and Symfony cooperate and if one team finds vulnerability - informs second party about that. Maybe Yii team should try to tighten relationships with them? 