When I was searching for a ticket in nationalrail.co.uk website, I suddenly found an XSS and also a SQL Injection vulnerabilities in it.
I reported these two vulns. to its website just for having more security. And, I think these two vulnerabilities are fixed now.
However, I believe that still 70% of webistes are vulnerable against the OWASP TOP 10!
Also, I think you should read “Survey: Majority of Web sites vulnerable” as well.
I reported them to the computer support section, and all of them are solved now.
The vulnerabilities were:
1- File uploading attack (In WWW, attacker could upload a php file and execute it.)
2- Directory traversal (In WWW, attacker could see the files and directories of the server and download the web files via the browser)
3- Local file inclusion (In Supportweb, attacker could use LFI techniques to do some malicious works)
4- Critical XSS attack in Gate Keeper’s Login (In Both, attacker could steal all the usernames and passwords of the users by using some simple social engineering techniques.)
Most of these vulnerabilities were because of the old part of the website.