I think they're missing one:

  1. Failure to validate input
Your program must validate any input it receives from the outside world, even if it comes from a trusted source or from data your program wrote earlier. Assuming your program will receive only legal input is just asking for trouble. Not only does validating input close security holes, but it also helps to detect bugs and avoid version skew problems.