Rather than expressing my own opinion, which is far from expert, I'll quote from php.net: "the directive itself isn't insecure but rather it's the misuse of it." (source [php.net])
According to everything I've read on it, it's much easier to write insecure scripts that rely on register_globals being on. Having it turned off requires that you access GET, POST, COOKIES, etc., by the GLOBAL array variables ($_GET, $_POST, and so forth), which forces you to expressly recognize where the variable's value is coming from.
With register_globals on, you can blithely use $admin, supposedly derived from the value of a cookie that you set when a user logged in as an admin, but a user can send ?admin=yes in the URL and $admin will now have the value "yes." You can see where that kind of thing can lead, I'm sure.
I keep it turned off on my own server.