1. IMO, the bigger issue with response_body == stdout is that the default data output is unescaped. Take a look at Wordpress templates. The fact that the template framework is PHP doesn't really cause any issues. And WP is diligent about keeping the escaped data easily accessible, so calling <?php the_post(); ?> actually works fairly elegantly.
2. I wonder if reliance on == has ever caused any major security issues? I know there's some edge cases, but I can't remember a time == ever came back to bite me. (Yea, you can point to strpos(), but everyone knows that example and it's marked with a big red box on php.net.)
How is that a bad idea? IMHO much better by default to be outputting verbatim instead of silently changing the output. Escaping is something you should be conscious of, since you then have a better idea of where you need it and where you don't, and what type of escaping you need.
They tried to do escaping on the input by default with the magic quotes option; that didn't turn out well.
2. I wonder if reliance on == has ever caused any major security issues? I know there's some edge cases, but I can't remember a time == ever came back to bite me. (Yea, you can point to strpos(), but everyone knows that example and it's marked with a big red box on php.net.)