When I was searching for a ticket in nationalrail.co.uk website, I suddenly found an XSS and also a SQL Injection vulnerabilities in it.
I reported these two vulns. to its website just for having more security. And, I think these two vulnerabilities are fixed now.
However, I believe that still 70% of webistes are vulnerable against the OWASP TOP 10!
Also, I think you should read “Survey: Majority of Web sites vulnerable” as well.
3 weeks ago, I sent an email about some small but effective vulnerabilities in Travian online game to its providers. By using these vulnerabilities a player can make several accounts by the same email address (because of a logical flaw), and also, he/she can login to other players’ accounts (by using an XSS vulnerability which is completely proved).
Now, I’m still waiting for their final response as I don’t want to be harmful for them!