How does the file with the .php~ get on the server in the first place?
Several text editors, particularly Unix ones like emacs, automatically create a "backup" copy of any file you edit, giving the backup copy the same name with a tilde.
For example, if you use "emacs wp-config.php" from a Unix shell connection to edit that file, a copy of the original will be saved as "wp-config.php~".
Or if you use such a text editor on your desktop computer, then upload the entire "wordpress" directory via FTP, a backup copy of the file could end up on the server that way.
I suspect many people make the same mistake manually: it would be easy to think "Oh, I'll just save a copy of that file as 'wp-config.php.backup' before I edit it." Smart "hackers" could look for all sorts of possible filenames.