You say you need a web application security primer?

Heise Security posted their PHP focused Security Know-how for web application security. While it is focused on PHP security, much of the content is applicable in a general way to any web application programming environment. They're targeting a reasonably technical user, so this isn't suited to showing your management to make things easily understood for them, but this is a good article for your local PHP developer to read.

If you don't read anything else, make sure you read the last page - it covers the most important security settings in php.ini.

This catches the other side of Matt's post - build your applications to be secure, and lock them down first, then test them. As all three of us can attest, even good developers make mistakes, but having standards and being aware of security practices is a good start.