How secure is CodeIgniter 3.x?

Remember Code Igniter is a development Framework. It doesn't strive to make your application secure. It merely gives you the tools to do it yourself. If you look at CI's Security page, it pretty clear they are expecting the developer to understand Application Security and build it into their application.

If WebApp security is relatively new for you, I would start with OWASP. It might be advantageous to look at look other frameworks such as Zend or Cake which I believe do more upfront things for the developer.

I've used CI in both 2.x and 3.x. It provides IMO huge flexibility for PHP devs, but if you have only used a Framework which does certain security things for you, I can see why someone would take issue with it.

All web frameworks of CodeIgniter's size are susceptible to a web vulnerability. Yes, in the past CodeIgniter has had some vulnerabilities found. But search up CVE's for other frameworks and you will likely find they have their share as well. To use the logic of "don't use this framework because a vulnerability was found in an old version" is silly and if that was the case we shouldn't use Joomla, Drupal, Wordpress, Django, Windows, Linux, iOS, OSx, Android, etc. As far as 3.X goes there is no known exploit. This is not to say one couldn't be possibly found down the road. But that doesn't warrant not using it.

I strongly urge you to stay away from CodeIgniter. I'll give you one reason and this is the only reason you'll need: CodeIgniter has no idea how to do security properly. Or it just isn't a priority for them.

This is the type of comment you should disregard. CodeIgniter is an open source project with hundreds of contributors. To assume they don't know security or want to prioritize it is a real far fetched and unfounded claim.