According to vulnerability assessment company IPxray, the most common vulnerability found among their corporate customers is the WebDAV buffer overflow condition in Internet Information Server (IIS). The company released a brief summary of the most commonly found vulnerabilities after scanning some 4000 modes over the last 30 days.
According to their findings, the second most commonly found vulnerability is the Apache 1.3.31 htpasswd local overflow. Coming in third place is the IIS FrontPage ISAPI denial of service problem. Forth place seems a tie between the OpenSSH 3.7.1 memory problems and PHP arbitrary file upload problems. The fifth most common vulnerability is the Apache mod_access rule bypass problem.
The Apache mod_access problem was reported on March 6, 2004. The Apache htpasswd problem was reported on September 16, 2004. As best I can tell the OpenSSH problem was first reported back in August 2003. As for the PHP problem, the information provided by IPxray was too vague to determine which of the many PHP arbitrary file upload problems was the culprit, but I'll take a guess that it is the one reported in September 2004.
Patches for these problems or updated versions of these software packages have long since been available. In fact, patches for the IIS problems were made available as far back as March 2003 and April 2002 respectively!
After that much time companies have yet to load critical security patches? This information is astounding, but not unexpected. My guess is that such gross lag time is due to lack of awareness of the need to patch systems in a reasonably timely manner. Either that or companies simply cannot afford such expertice. If that's the case then maybe they should try IPxray as I'm sure the company is quite successful with its customers! Their prices range from $29 per month for basic security checks to $239 per month for companies with to up 25 locations. I suspect their prices are less than many companies spend on coffee and donuts!