Acunetix recently reported that on average, 91% of the Web sites scanned contained some form of Web site vulnerability. Those exploits ranged from the more serious, such as SQL Injection and Cross Site Scripting, to more minor ones, like local path disclosure or directory listing.
Out of 3,200 sites scanned, 70% had vulnerabilities with either a medium- or high-risk rating
Personally I didnt think the numbers were that high, but in reality it doesn’t surprise me.
http://www.acunetix.com/news/security-audit-results.htm