Our cofounders (I'm director of product management at Veracode) helped to coauthor the responsible disclosure standard, and it's linked on our web site. Short version: we don't disclose details about customer findings.
There is an industry effort to define a "watch list" for common mistakes that lead to security flaws. Co-led by the folks behind the Common Weakness Enumeration at MITRE and the SANS Institute, the SANS Top 25 (full listing here) is being used as a requirements document for the security of purchased applications by the State of New York, among others.
It's not perfect--it omits backdoors and other intentional security flaws, among other categories--but it's better than nothing, by a long shot.
Disclaimer: I work at Veracode and was a co-author of the report that the original article was about.
We scan selected open source projects on a pro bono basis and reach out to the project teams to share the findings with them.
Disclaimer: I work for Veracode and was a coauthor of the report.
If you take a look at the full report (registration required), you'll see that the application pool from which the report was drawn was 47% Java, 31% C/C++ (on Windows, Red Hat Linux, and Solaris), and 22%
Disclaimer: I work for Veracode and was a co-author of the report.
You can check out the full report online from the Veracode.com website (requires registration).
We disclose the sample size in the appendix (1591 applications).
You can test the quality of code you are developing yourself with a simple source code scanner, but testing third party code is a little more challenging. I don't know too many significant applications that are entirely created in house, with no dependency on third party libraries.
Disclaimer: I work for Veracode and was a coauthor of the study.