This post presents some conclusions, which I've got by reading one very useful book written by Greg James Knaddison - "Cracking Drupal".

So why Drupal website can get some vulnerabilities? The most diffused reasons are:

1. Insufficient (or just skipping) using of core API. For instance, if you use forms API to build webforms, Drupal automatically provide form token, which prevents a cross-site request forgery (CSRF) attacks.
2. Insufficient attention to the user-supplied data (this one can be attributed to almost any kind of software, not just to Drupal). Usually it's done by tyro module developers. They doesn't expect that users can, for example, replace some arguments in the page url with malicious code including XSS, CSRF or SQL-injection.
3. Ignoring access rules by module developers. To confirm that, you can take a look inside the Vulnerable Module hook_menu code and see, that if you set appropriate access argument for menu items, many vulnerabilities would be fixed.
4. Configurations mistakes. There are many posibilities to mess up with a configurations: drupal permissions, php interpreter conf files, apache or any other web-servers.
5. Out-of-date files. Assume that developer has done with the web-site for some small online store, manager does prices and goods management and he doesn't know anything about security issues. So this business will be doing good until the software is out of date and some bad person steals their database with a private data.
6. And there is one kind of vulnerability, where you don't need to digg any code to exploit that - this is a week password or user credulity. Just some social engineering tricks and you get an access to private data