Web application security is where the action is and more numbers to prove it.
Numbers from Mitre's CVE (via Steve Christey)
Cross-Site Scripting: Attackers' New Favorite Flaw
Web vulns top security threat index
Web flaws race ahead in 2006
Web app vulns go 1,2,3
"For 2006, 21.5 percent of the CVEs were XSS; 14 percent SQL injection; 9.5 percent php "includes" and 7.9 buffer overflow. Last year was the first time XSS jumped ahead of buffer overflows, with 16 percent; SQL injection accounted for 12.9 percent; and buffer overflows accounted for 9.8 percent."
Summarized Honeypot Compromises (2006)
All compromises were from web application security vulnerabilties or weak passwords.