Correction regarding Veracode's data
Great article. Good to see PayPal respond promptly to a reported XSS issue. I am one of the co-authors of Veracode's State of Software Security report that highlighted the XSS prevalence issue referenced here. I wanted to point out that the report is not based on a survey. It is based on an analysis of over 2900 real-world applications that were submitted to Veracode's cloud-based application risk management platform over the last 18 months. We issue this report every six months and it reports on the key findings and observations based on the security testing we perform across web and non-web applications from across the software supply chain (internally developed , open source, outsourced and commercial apps are all included). Readers can find the full report here: http://www.veracode.com/reports/index.html