Is Ubuntu's PHP package secure?

If Ubuntu supports LTS versions for five years, but PHP supports major versions just for three years, isn't it insecure to use Ubuntu's official PHP package? After all, the major version shipped in an Ubuntu LTS release won't get security patches for at least two years, or would it?

Short answer: Ubuntu ensures that their shipped PHP version keeps secure throughout the whole support window.

I've written a more detailed answer over at StackOverflow and published a German article on one of my websites.