I've been using the Debian default PHP (with Suhosin) for years in production and I've never had any problem. I never saw any performance loss and, even if there was, I would be happy to have my PHP scripts take some milliseconds more but my system not to be vulnerable to some zero day PHP vulnerabilities!!!
I'm really sad about Stefani Esser: he proved to be a top security expert in the past. I'll definitely continue to use Suhosin in production, even if Debian drops it as default.
Would you really want to be woken up at 03.00am with all your systems down because somebody has found a new zero day vulnerability and you decided not to have Suhosin to improve performance a bit??