Web Application Security Consortium (WASC) released statistics from 2008 project, the goals are:
- Identify the prevalence and probability of different vulnerability classes.
- Compare testing methodologies against what types of vulnerabilities they are likely to identify.
They have scanned over 12,000 web site, resulting in 4 data sets:
- Overall statistics by all kinds of activities;
- Automatic scanning statistics;
- Black box method security assessment statistics;
- White box method security assessment statistics.
The report is available here.