SANS has posted their Top 20 most critical internet security vulnerabilities. The list is really two seperate lists, one for Windows and one for UNIX/Linux. Topping the list on the Windows side are web servers and BIND's DNS Server takes the cake for UNIX/Linux. The list is quite extensive and provides some interesting links to CVE (Common Vulnerabilities and Exposures) reports. The top 20 list can be found here.
Do any of the items on the lists surprise anyone?