CSRF or Cross Site Request forgery is the highest likely method of attack
Broken Authentication is second
And cross-site scripting(XSS) is third
SQL Injection as well as security misconfigurations are also higher than 10% of he vulnerability types.
The IBM report at X-Force blog recounts the challenges a web application scanner has as to when and what to scan.
As one has to be careful with how to scan production systems. If not done well, a vulnerability may not be exposed or a production system may have ill effects.
We are aware of this in our product offerings.
Scan Solutions at Oversitesentry