Eh, that's not the version of Ubuntu that they are running; the whole thing is the php version number. There is a general convention among Linux distributions to backport security fixes to the older versions of software that come with their older releases.

In this case, Ubuntu 12.04 (Precise Pangolin) was released with PHP 5.3.10 plus some security patches, available in the Ubuntu package repository under the name php5 with the composite version number 5.3.10-1ubuntu3.14. Their website doesn't list a newer version of this package (http://packages.ubuntu.com/precise-updates/php5), so possibly they're ahead of the official Ubuntu releases.

The reasoning for this is that while it might be nice to upgrade in order to get new features, new bug fixes, and new performance enhancements, these potential benefits are often outweighed by the very real cost of testing everything to make sure the upgrade doesn't cause regressions. Backporting the security fixes makes sticking with a base version possible. I imagine that upgrading is pretty low on their list of things to do; it would have to get them some nice benefits, and nothing about php is ever nice.

I'm a software engineer myself, and I upgrade individual libraries far more often than I upgrade the actual programming-language runtime (or compiler), simply because that's where you get the most benefit (usually a fix for a specific bug, but sometimes a new feature will be tempting) for the least risk.