xssed.com has a list of known XSS-vulnerable sites, ordered by descending PageRank score. Yahoo, Microsoft and Google all have vulnerabilities currently listed, though Google is normally good at fixing these things quickly. This is not trivial: though the vulnerabilities are on different subdomains to Yahoo Mail/Gmail, so can't access your email, for example, they could easily make sites leak personal information or carry out destructive actions.
In my opinion, any company that has a vulnerability like this that goes unfixed for more than 24 hours and leaks personal information should face financial penalties, not just loss of reputation. Practically though, you could probably argue that a lot of vulnerabilities are due to specific browser interpretations of HTML, so it would be hard to prove responsibility.
CSRF vulnerabilities are a different matter: less serious as they generally only open up one specific action to abuse, if they're due to general design flaws in the application (particularly in account management) the problem can still be bad. I've personally reported CSRF holes in 5 major sites this year, none of which has been fixed yet, as far as I know.