See the excellent blog post by Katie Serignese here: http://www.sdtimes.com/blog/post/2010/03/04/The-state-of-software-security.aspx.
Get the report from Veracode here: https://www.veracode.com/sites/default/files/Resources/Reports/state-of-software-security-volume-2-executive-summary-report.pdf. Registration is not required to download the report. The detailed report is an excellent document.