See the excellent blog post by Katie Serignese here:  http://www.sdtimes.com/blog/post/2010/03/04/The-state-of-software-security.aspx.Get the report from Veracode here:  https://www.veracode.com/sites/default/files/Resources/Reports/state-of-software-security-volume-2-executive-summary-report.pdf.  Registration is not required to download the report.  The detailed report is an excellent document.