SANS has a list of the top ten security holes on the Web. Anyone whose systems are exploited through one of these holes should have their wrist slapped, because they’re all very well known. Some of them (running an exploitable version of sendmail) are easier to fix than others (badly written CGI programs).