Advisory updates, First Quarter, 2009, and a few from 2008.
DMOZ search's xss was found 2 months back... and NASA's XSS at Goddard space flight center, was exactly a month ago...
The other findings, from Myspace, AVG antivirus, and ESET antivirus websites, are also not fixed ... considering that these websites have a good user base, and are expected to fix quickly.
HSBC haven't fixed their bug just yet ... but it is obvious, they're a bank and they want money... not security ;)
The Indian government website, has removed the page having input sanitization problems, instead of fixing it... still not bad ... they've taken some measures to stay at bay ...