One of those sites which should be secure, is cert.org. There was Reflected HTML injection vulnerability from presenting Request URI back to HTML (works only with IE).

At the end of 2013 I found one interesting XSS vulnerability in LinkedIn. Problem was easy to find, but hard to use for attacker.