The most common issue and vulnerability was the use of out of date version of Joomla. When (at the time of writing) Joomla is 3.5.1 we found the worst case was 3.3.1 with several security vulnerabilities. Possibly the worst one was an extension developer charging for a download that included 2.5.29
It doesn't just apply to Joomla core. Even developers who include the latest version of Joomla with their template, sometimes bundle out of date extensions. We found one template provider bundled a slideshow package that created 777 folders in the temp directory. One of the first places a hacker looks.
There were also 2 year old versions of virutemart, exploitable versions of kunena, jevents and even a couple of nulled versions of other big players.
We did raise the "issues" with the developers where we could and had some responses ranging from "its up to the other developer to update their libraries we use" to "we recommend a full update of all extensions before use" (good advice but no excuse for not providing a reasonably up to date package to begin with).
We do also find that several hosts who had quick start versions of Joomla included in their packages did not all have the latest version.