I and another research fellow, AlanH0, who have carried out basic Web vulnerability digging over 80 companies including government, banks and listed companies in Hong Kong. We would like to see whether they have done their webapp security "homework" well since 2004 (i.e. OWASP Top 10 vulnerabilities are published). Amazingly, we have found over 120 basic vulnerabilities out of 90 organizations.
Did they still stay in a stone age that simply trust the scanner with "no risk", feeling secure and safe afterwards?
Did they get right party for penetration test?
Did they still believe in only CISSP could be the penetration tester?
Did they engage any secure software and system development lifecycle?
Did their developers get training regularly?