This report investigated 855 incidents involving "174 million compromised records".
XSS (Cross Site Scripting) is not mentioned in the document. (The 2011 edition at least mentioned it). This implies that Verizon has not found XSS to be a significant cause of the incidents that it investigated.
The conclusion seems to be that while XSS is regularly found in online applications, it does not seem to be exploited very much, so the risk associated with XSS is (relatively) low.
According to OWASP:
The OWASP Top 10 "presents a more concise risk focused list of the Top 10 Most Critical Web Application Security Risks."The OWASP Top 10 currently has XSS as the number 2 risk, ahead of such issues related to credentials (passwords etc). The potential problem with this ranking is that organisations will prioritize their application security programs based on the OWASP Top 10. This means they could be placing too much emphasis on topics such as XSS and not enough emphasis on topics such as credential management.
It will be interesting to see the rankings in the next edition of the OWASP Top 10 201?