A More Meaningful "Top 10"
This explains why watching any Top 10 list is just a small part of what might be called a proper program of effective network and system security. In fact, the Top 10 that's likely to be of most interest to any individual network or system administrator, or IT security professional, is a list of the top known exposures "in the wild" that actually apply to the systems, software, and networks that such hard-working professionals must protect and manage.
To a large extent, this means that your real security issues list probably differs from somebody else's list, simply because it's highly unlikely that any two network or system environments completely match up. In other words, avoiding the most likely security threats depends on constant vigilance, coupled with direct knowledge of what's out there on your systems and networks that needs to be kept safe and secure. Thus, the following rounds of activity are essential to help you build and manage your own personal security issues list:
Make sure you understand basic security principles, policies, and best practices (several in our Top 10 list directly address these topics). Any good book on network or system security will cover these topics to some extent, though some such books are better than others (the "Security Bibliography" section provides a brief list of excellent security books).
Routinely monitor security advisories (the "Security Advisory Resources" section documents some of the best sources of such information, but you'll also want to research and sign up for or visit vendor-specific security advisory resources).
Compare current security advisories against your networks, platforms, hardware, and software. Take appropriate action (such as applying necessary patches, fixes, or upgrades) as circumstances dictate.
In addition to responding to advisories as they come up, schedule and perform regular security assessments of your systems and networks (in more secure or sensitive environments, this often occurs monthly; in less secure or sensitive environments, this should occur 2 to 4 times yearly). Many organizations also schedule and perform penetration testing and run security scanning software against their environments at the same frequency. You should, too.
Don't get hung up on the number "ten," either. Just because Letterman and radio stations track the top ten doesn't mean that's the exact number of security issues you should handle at any given time. If you're lucky, the actual number will be smaller; if not, it'll be larger, and you'll have more work to do.