Before understanding security risks on the web, it may help to first think about what makes a secure site.
From Cracking Drupal chapter 1, the Drupal security book by Greg Knaddison:
A site is secure if private data is kept private, the site cannot be forced ofﬂine or into a degraded mode by a remote visitor, the site resources are used only for their intended purposes, and the site content can be edited only by appropriate users.
A security issue allows someone to
- Abuse resources in ways they aren't suppose to
- Steal data from the site
- Alter data on the site