A study done by Whitehat Security found that educational institutions were the most likely to be vulnerable while banks and healthcare institutions were the least vulnerable.
According to NetworkWorld, the study is based off of data from 400 organizations that use the company as their web vulnerability management firm. They found that 71% of schools tested had vulnerabilities on their web servers all the time, in contrast to only 16% of banks had servers that remained unpatched. Whitehat said,
While no industry approached anywhere near zero for an annual average, banking, health care and manufacturing performed the best out of all the industries with 30, 33 and 35 serious vulnerabilities respectively per Web site during 2010 for a rough average of 2.5 or so vulnerabilities per month, on the opposite end of the spectrum, Retail, Financial Services and Telecommunications, whose Web sites had the most reported issues, measured 404, 266 and 215 serious vulnerabilities per site -- or between 18 and 34 per month.
Being vulnerable can lead to a lot of different attacks, but the most common were information leakage and content spoofing. Both of these would allows an attacker to steal user information thinking they are giving to a trusted source rather than to the creator of the spoofed content.
The good news from this study is that you can count on your bank to do its best to make sure your financial information is secure, they have the fastest patch time of all industries. Within 13 days of a vulnerability cropping up, the server is patched. The complete opposite can be said that for the telecommunications industry, they take an average 205 days to patch a vulnerability. The average for all businesses to get around to patching their vulnerabilities is 116 days.