I would suggest doing a "hack-a-thon" like Xenland did before going live with any type of site.  Much better for us to point out flaws/holes in your system before going live.  As for just worrying about PHP security, there are many other angles of attack that need constant attention and monitoring.

And IMO, an exchange will be a prime target since you will be holding BTC.