Apache.org had an incident last week which started as a cross-site scripting attack and ended with the attackers gaining root access to their servers. The full story is worth a read because it's instructional to see how the mistakes compound and the attackers used each new foothold to gain access to another deeper level in the system. It reads like a laundry list of simple security mistakes, but strung together in a real world scenario that resulted in a serious breach of security.
And it ends with a great honest example of the open source philosophy:
We hope our disclosure has been as open as possible and true to the ASF spirit. Hopefully others can learn from our mistakes.