The codebases in PHP that have neglected to use frameworks have typically been of a poor quality, IME. In fact, most security issues I've seen have been in PHP sites from developers who think they know what they're doing and don't use a framework. These are the developers who don't use prepared statements, or introduce stored and reflected XSS vulnerabilities or don't bother defending against CSRF. They don't care about splitting their code up and mix all of their HTML and PHP logic in one file. They throw away any concept of structure or architecture and copy and paste their code around their application. They echo out user input without a care in the world, they serve semantically incorrect HTTP response codes for their pages. They allow users to upload files with any name and then wonder why someone has managed to compromise their server by uploading a PHP shell. They don't validate user input server-side properly. They concatenate user input straight into a SQL query, and then wonder why their database schema has been dropped later (they didn't set-up permissions for their web database user either). They pass additional headers to their mail function which include user input, and don't strip out newlines first. They use a hash function like MD5 without a salt when storing their user passwords (or indeed anything except a *proper* slow password storage scheme such as bcrypt). They store their remember me tokens as plaintext in the database. They don't mark their cookies as HttpOnly or SameSite, or use HSTS on their site, or HPKP or CSP or X-Frame-Options or *anything* that would add a shred of security to their web application. Please don't be one of these developers.
Using a framework will:
Make it more difficult to write poor quality code (will normally use a templating language to stop you mixing business logic and presentation logic, encourage use of an ORM etc)
Usually handle some security issues for you. This might be setting useful headers (e.g. Content-Security-Policy), auto-escaping user input in templates to prevent XSS, protecting against CSRF, properly handling passwords etc. This isn't a license to ignore security entirely, but it's a good defense layer.
Usually teach you some architectural lessons from interacting with the framework, assuming it's well written. MVC isn't just used for the sake of it
Usually save you a ton of time implementing common logic that appears in every web application (user input validation, CSRF token generation/comparisons, password storage, logging etc).
Usually provide you with a bunch of tools related to automated unit/integration testing and an IoC container to make dependency injection and thus writing testable code easy. You do use automated tests, right?
Sometimes you'll want to do something the framework makes hard. Sometimes this might be your fault (you're not embracing the philosophy of the framework properly and end up fighting it) or sometimes it might just be a genuine limitation. Usually maintainers are happy to discuss any issues that may be brought up, though.
You might have to actually put some effort into developing your application and/or reading documentation
I'd use a framework pretty much every time. I've seen too many codebases that are un-maintainable, untested, brittle and just a horrible mess that *don't* use a framework and I've wasted too many hours trying to maintain them. Don't be a dîck to the next person who has to deal with your work.
If you're not going to use a framework, and there's a shred of a chance that real users will be using your system, are you happy to assert that you know better than all of the contributors to an open source project like Laravel when it comes to e.g. security? If you don't feel comfortable asserting that, why aren't you prioritising the security of your users?
Though I am slightly uncomfortable placing the onus for good programming practices on the code base itself. If you need a code base to force you to write good code then your programming sensibilities could probably use some work to begin with. When I see bad code written without a framework I am inclined to blame the author and not the lack of a framework. There are many examples of bad code written with existing frameworks and good code written without. The programmer is to blame in both cases.