Web sites are likely to have security risks and so are any networks that is connected to web servers. Besides risks created by employee use of network resources, web server and the site it hosts present your most serious sources of security risk.
Web security has two components which are internal and public. Your web security is high if you have the few network resources of financial value, your company and website aren't controversial in any way, your network is set up with tight permissions, your web server is patched up to date with all settings done correctly.
It is common that a poorly written software creates security issues. The number of bugs and errors that can create web security issues is directly comparable to the size and complication of your web applications and web server. Basically, all complex programs either have bugs or at the very, least weaknesses. On top of that, web servers are inherently complex programs. Web sites are themselves complex and intentionally invite ever greater interaction with the public. And so, the opportunities for security holes are many and growing.