1 Raindrop: Understand Web 2.0 Security Issues - As Easy as 2, 1, 3
Very good points made in this post. At the moment the probablw saviour for a lot of transactional sites is that they've been really slow on the bandwagon, so are still running web 1.0 style sites!
That said, the more information that comes out from researchers like Jeremiah Grossman and RSnake the less faith people can really have in the browser security model that most E-Commerce sites rely on.
What's been missing to date is the Slammer or Nimda of the web application hacking world. Without a wide-ranging attack like that, it will continue to be very difficult to convince a lot of businesses to take these threats seriously...