Perhaps this is a bit old, but it’s the first time I’ve seen it, and I thought it was interesting enough to share.
[http://www.webappsec.org/projects/statistics/](http://www.webappsec.org/projects/statistics/)
* more than 7% of analyzed sites can be compromised automatically
* Detailed manual and automated assessment using white and black box methods shows that probability to detect high severity vulnerability reaches 96.85%.
* The most prevalent vulnerabilities are Cross-Site Scripting, Information Leakage, SQL Injection and Predictable Resource Location