A very nice work powered by Web Application Security Consortium shows the most relevant security flaws in the web applications in 2007.
The goals of this study are very explicit:
1) Identify the prevalence and probability of different vulnerability classes
2) Compare testing methodologies against what types of vulnerabilities they are likely to identify.
The methodology and the results have been explained/shown here. Really nothing to say about it, just take a look to the above graph; still programmer's mistakes are relevant in 2007.