The riffraff of the web application security space Jeremiah Grossman has polled a bunch of application security professionals and published the results on his site.
"Two weeks ago I sent out an informal email survey to several dozen people I know in the web application security professional services business. People from large and small organizations who regularly perform penetration tests, vulnerability assessments, train others in secure software development, write articles and whitepapers, release tools, etc. In short, the “experts”. The questions were intended to shed more light on the industry from those who live and breathe webappsec every day. Of the pool of 40, I received 21 responses, and the results are interesting. The data set is small, so be careful reading too deeply into the results."