Ninety-seven percent of applications tested by Trustwave last year had at least one vulnerability, according to the 2016 Trustwave Global Security Report.
The report rated 10 percent of the vulnerabilities as critical or high risk while the median number of vulnerabilities discovered per application was 14.
Twenty-one percent of the data breach investigations conducted by Trustwave occurred in the Asia-Pacific Region, and retail was the most compromised industry globally.
Retail was followed by hospitality at 14 percent, and food and beverage at 10 percent.
"Cybercriminals have been congregating and organising for years, but 2015 showed a marked increase in the behaviour we would normally associate with legitimate businesses," said Trustwave Chief Executive Officer and President Robert J. McCullen.
In 2015, compromises that affected corporate and internal networks increased to 40 percent, up from 18 percent in 2014.
Eighty-five percent of compromised e-commerce systems used the Magento open-source platform, and most of the affected systems were not fully updated with security patches.
Attackers were after payment card data in 60 percent of investigations and the majority of victims (59 percent) did not detect breaches themselves.
Angler was the most prevalent exploit kit of 2015, and it accounted for 40 percent of exploit kit-related incidents, more than twice as many as the next most prevalent kit, Nuclear.
"Based on the study of numerous security incidents, exploit kits and malvertising campaigns, our 2016 Trustwave Global Security Report shows businesses how and where these sophisticated criminal organizations are most likely to attack, and more importantly, how to defend their assets," added McCullen.
Sign up for Computerworld eNewsletters.