The SANS Institute has published a list of the Top 25 Most Dangerous Programming Errors. The list itself contains all the usual suspects — buffer overflows, SQL injection, relying on client code to perform data validation, and various other classics. If any of the items on the list strike you as surprising, you probably shouldn’t be writing code for a living.
The advice on prevention and mitigation is disappointing in places. For example, I’ve written about CWE-404 before, when I discussed Java “memory leaks”. None of the suggested preventatives from the SANS article actually solve the problem; if they did, there wouldn’t be so much problematically incorrect JDBC code around.