It appears Fabien Potencier (lead engineer for the Symfony Framework) enlisted the help of an outside firm to audit the security of the Symfony 2 code-base. He posted the results a few days ago @ Overall, it looks like the Symfony 2 code-base made the grade with regards to security issues. I did pose the question if they conducted the same type of audit for the Symfony 1.4 codebase as it will still be officially supported until 2013. If/when I find out I will update this post.

I applaud his efforts to provide a robust and secure framework.