Is it possible for a site programmed in PHP version 5.6 to be secure?

Yes, is secure.

Not even PHP version 7 receives security updates any more. https://www.php.net/supported-versions.php

There are backports of security fixes for older versions I think, just not offical from the PHP devs.

I do not know much about it but WordPress (Requires 7.0 since very recently) used as part of their explanations (excuses) for their extreme backwards compatibility that some of the major webhosts used some special PHP versions to account for security risks while still serving with old versions.

Sure. Disable all the optional features you aren't using, and hope there's no unpublished security errors in the site itself or the stack. Same thing you'd do on any other language/stack; except something that's formally verified in which case you'd also need to hope the verification model matches the actual environment.

Lack of security updates / process doesn't definitely imply an insecure environment, but it puts the onus for security more clearly on the host. You've got to at least watch all the security updates in newer revisions and consider if they apply, but there's also things that may have gotten fixed or at least changed without realizing the old version was insecure.