http://pwnie-awards.org/2008/awards.html
There's a lot of good ones, it'll be hard for the judges to decide! I realize that a lot of this is political, but it's still funny. :)
The DNS vulnerability has gotta win for being overhyped. There's no way a vulnerability can live up to what they've built up (I read the leaked details on it, and, while it's pretty cool, it's not THAT cool.
For best client-side bug, Quicktime HAS to win. We've had a nighmare trying to get patches rolled out for it (because they don't stop!).
Todd Davis should win for most epic fail. He totally deserves it. :)
And finally, Debian has gotta win for one of the categories. Having a totally broken key generator for two years? Yikes!