I’d tackle this problem on three layers: plugins, core and filesystem.
Most security problems arise via 3rd party plugins and themes, so as Ambitious Amoeba notes the best thing you can do is choose those wisely.
You should also be sure to update to the latest version of WordPress, because they always patch the big issues but older versions are quite vulnerable. Since WordPress blogs are so commonly used (Google “inurl:wp-login.php”) you are really asking for it when you don’t update your core to the latest version.
Finally, there’s a lot of user error that causes problems — you can’t get your FTP to update so you chown 777 or something, thinking it’ll be fine, then some remote nerdowell figures it out and your toast. Best thing to do is make sure you lock down your permissions as much as you can on the filesystem — I believe chmod 755 is the preferred level.