UPDATE: There is some controversy about 1), see more information here: http://drupal.org/node/475858. As pointed out by some readers, there are other ways to figure out the Drupal version of the site. While Drupal is a secure system, there are 4 configuration issues that are often overlooked when developing a Drupal site. By following a few easy steps, we can make a Drupal site much less vulnerable.
1) Leaving Drupal Version Information Text Files on Server
A lot of developers forget to delete the Change Log and other text files that come with the Drupal package. By leaving the text files on the server and having them accessible, you enable potential hackers to know about the exact version of Drupal that you are using. Once the hackers know about the version, they can more easily find the exploits to hack into the Drupal site.
2) Cross Site Scripting
Cross site scripting can happen if you allow visitors to post any HTML code and JavaScript into form boxes. This will allow hackers to post malicious code onto your web page. It is critical to either ensure that only filtered HTML is allowed for postings or to run the check_plain() function against all user input.
3) Exposing Apache/Server Tokens
Server Tokens is information about the version of the Apache/PHP server and the modules that are loaded. A lot of servers a configured to display this information when a user goes to a "Page not Found" page. The issue with this is that it allows hackers to identify the server version and figure out exploits for that server version.
4) Allowing Users to Create Accounts on a Private Content Site
Users should only be able to register and create accounts on community web sites. Users should not be able to register if the site is a private corporate web site where content is only managed by the administrators. There have been various occasions where I find that users can register for a account on a corporate Drupal web site. The security risk this poses is that users may be able to create profiles (if Node Profile is an enabled module). They may then be able to use that page for link spamming purposes. The simple fix for this is to change the configuration to only allow administrators to approve user signups.