I like the OWASP Top Ten for "developers" charts. From my point of view, it gives an awesome advice, where to start or helps to take care and remember what you maybe already know about web security implementation. From my side it feels a bit like "rub salt into the wound" of a developer soul, isn't it so?