As noted in Ellen's article some of the biggest libraries that are used and have known vulnerabilities are Google Web Toolkit (GWT); Apache Xerces; Spring MVC; and Struts 1.x.
The buzz with the release of the study and Ellen's article is calling into question whether open source is any more or less secure than closed source code. Another issue is whether or not open source companies and authors are vigilant in closing holes and insecurities in their code. I spoke with Wayne Jackson, CEO of Sonatype, the company that maintains the Central Repository which was the subject of this study. I know Jackson from his days as CEO of Sourcefire. Wayne is a long time supporter and believer in open source.
Wayne told me that people looking at this study and using it to say that open source is less secure than closed source are mistaken. There are vulnerabilities in just about all code and libraries. The fact that this study saw so much use of vulnerable libraries is more about the popularity and wide spread usage of open source than whether it is more or less secure. To Jackson, that is the real finding of this study. Look how many applications and enterprises use open source libraries and components. It is pretty ubiquitous.