The VAT analyzes the most common security blunders. Here are their Top Ten:

1 Lack of Critical/Creative Reviews & AVAs
2 No countermeasures for Cognitive Dissonance
3 Compliance-Based Security
4 Confusing Inventory with Security
5 Confusing Control with Security

6 Thinking that finding vulnerabilities is bad
news & means that somebody has been
screwing up
7 Mindless faith in “Security in Depth”
8 Thinking that all vulnerabilities can be found
& eliminated
9 Focusing on threats instead of vulnerabilities
10 Mindless faith in Technology & Snake Oil

Read the article by Jon S. Warner, Ph.D.,  Roger G. Johnston, Ph.D.,  CPP and  the Vulnerability Assessment Team Argonne National Laboratory.
287 security blunders (2009)