The SANS Top 20 update has been released. Go and read it now!
SANS Top-20 Internet Security Attack Targets (2006 Annual Update) 
Six years ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) at the FBI released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. Thousands of organizations relied on that list, and on the expanded Top-20 lists that followed in succeeding years, to prioritize their efforts so they could close the most dangerous holes first. The vulnerable services that led to worms like Blaster, Slammer, and Code Red have been on SANS Top20 lists.
The SANS Top-20 2006 list is not “cumulative.” We have listed only critical vulnerabilities from the past year or so. If you have not patched your systems for a length of time, it is highly recommended that you patch the vulnerabilities listed in the Top-20 2005 list as well as those in the 2006 list. At the end of this document, you will find a short SANS Top-20 FAQ (frequently asked questions) that answers questions you may have about the project and the way the list is created.
Also available in a PDF format
For the first time we see VoIP appear on the list (N1) of threats. There are no real surprises in the document (if there are, where have you been hiding?) butthe list gives a good framework to look back over your security strategy/policy/procedures to make sure you have all the boxes ticked.
[1.] SANS Top-20 Internet Security Attack Targets (2006 Annual Update) Version 7.0 November 15, 2006 [SANS]