The Open Web Application Security Project, to which I wish I had more time to devote, have released their list of top ten web application security vulnerabilities (PDF).