Security leaders from 30 organizations, led by the FBI's NIPC and the SANS Institute published a list of the top twenty Internet security vulnerabilities (7 general, 6 Windows NT/2000, and 6 UNIX/Linux), along with instructions on how to fix them. In a surprise move, the Center for Internet Security simultaneously released a free vulnerability scanner that focuses on the SANS/FBI Top Twenty.
See http://www.sans.org/top20.htm for details

Top Vulnerabilities That Affect All Systems (G) 
G1 - Default installs of operating systems and applications 
G2 - Accounts with No Passwords or Weak Passwords 
G3 - Non-existent or Incomplete Backups 
G4 - Large number of open ports 
G5 - Not filtering packets for correct incoming and outgoing addresses 
G6 - Non-existent or incomplete logging 
G7 - Vulnerable CGI Programs 
 
Top Vulnerabilities to Windows Systems (W) 
W1 - Unicode Vulnerability (Web Server Folder Traversal) 
W2 - ISAPI Extension Buffer Overflows 
W3 - IIS RDS exploit (Microsoft Remote Data Services) 
W4 - NETBIOS - unprotected Windows networking shares 
W5 - Information leakage via null session connections 
W6 - Weak hashing in SAM (LM hash) 
 
Top Vulnerabilities To Unix Systems (U) 
U1 - Buffer Overflows in RPC Services 
U2 - Sendmail Vulnerabilities 
U3 - Bind Weaknesses 
U4 - R Commands 
U5 - LPD (remote print protocol daemon) 
U6 - sadmind and mountd 
U7 - Default SNMP Strings 

For anyone not subscribed to SANS I recommend subscribing at http://server2.sans.org/sansnews

"Linux is for people who hate Windows. BSD is for 
people that love unix."