Taking a look a the mainstream press, Brian Krebs from the WashingtonPost blogged "Cross-Site Scripting Flaws Abound". Among other things Brian talk XSS disclosures in the websites of Verisign, eEye Digital Security, Cisco Systems, F-Secure, Snort.org, the National Security Agency, eBay, and Amazon. There is a running thread on SecurityLab about additional vulnerabilities in IBM, MSN, CyberTrust, etc. If there was ever any question, XSS vulnerabilities are epidemic. Just about every website has A LEAST one. No one is safe, not even security vendors.
Also, I member of some public and private bulletin boards that helps me stay up to date on whos doing what and for what reasons. For instance SEO's are utiziling XSS to boost website ranking by making it appear that popular websites are linking to their websites. Simple XSS-Defacement exploit, where the defacement is a a href link injection. And I can tell you right now, the websites they are targeting a big.
RSnake clued me into this, check it out from Google Trends searching for XSS and Cross Site Scripting: