Perhaps the worst offender is when an application asks for you to "authenticate" an application with your username and password from a third party site. Example--the app which includes your photos from flickr.com on your Facebook page. This is teaching users to be "phished."
Jeremy Keith, a web developer in Brighton England, pledges to do the right thing in his "The password anti-pattern" post.
So here’s what I’m going to do: even if it costs me a contract in the short-term, I will refuse to implement any kind of interface that involves asking the user for a password from a third-party site. I urge you to do the same. And if you feel equally strongly about this, make your thoughts known: blog about it, talk about it…
I urge you to read his complete post for a better explanation of the problem.
There are also issues of privacy and Personally Identifiable Information which people politely ignore to be "social." It is ironic that organizations are being forced to eliminate PII online, but users are posting far more personal information by their own free will.
Security is not at all a priority when people are trying "cool" new things, because the "secure" way is rarely the fun way. It is unfortunate that security does not become a priority until after it is compromised.