Why OWASP Top 10 (web application) hasn't changed since 2013 but Mobile Top 10 is as recent as 2016?

The reason for the delay is that there has been little change in the Web T10. As stated by Dave Wichers, the Web T10 project lead, on 30 June 2015:

Historically, we've produced a new OWASP Top 10 every 3 years because this seems to balance the tempo of change in the AppSec market, all the work everyone does to map their tool/process/other thing to each version of the OWASP Top 10, and the effort required to produce it. We've been producing a new one every three years since 2004 (i.e., 2007/2010/2013), and so a new version for 2016 is due. (Definitely not happening in 2015).

However, we've been thinking about what might change in a 2016 release of the Top 10 and we don't actually think it would change much, if at all, which is kind of sad actually. I suspect some Top 10 items might move up or down based on the vulnerability prevalence statistics that we would need to gather and process, but I have my doubts that any new vulnerability types would break into the Top 10.

As such, given that we don't expect the list to actually change in any substantial way, the project has decided to defer the next update to a 2017 release.

This table from the 2013 T10 Release Notes demonstrates the small change: The changes were largely due to rethinking how to categorize the raw data, not due to significant changes in the data.

Some have postulated that the level of effort for creating the T10 was a factor for delaying it. While it is a lot of work, I do not think that was a major factor. The Web T10 is OWASP's most recognized project and always has lots of volunteers (I contributed to the 2007, 2010, and 2013 ones).

Speculating as to whether the same thing will happen for mobile applications, I do not think that is likely in the near future. Mobile technology is still in its infancy and subject to rapid change.

Please note that the OWASP Top 10 was updated in 2017.

I wrote about it at The OWASP Top 10: 2013 vs. 2017.

tldr:

Three new risks were added this year: XML External Entities (XXE), Insecure Deserialization, and Insufficient Logging and Monitoring.

Two items were removed from this year’s top 10: Cross-Site Request Forgeries (CSRFs) and Unvalidated Redirects and Forwards.

Two risks from the 2013 report (Insecure Direct Object References and Missing Function Level Access Control) were merged into a single risk: Broken Access Control.

They don’t update it every year and its done by volunteers in their spare time so updates can be slow as it's very comprehensive and takes alot of work. However, they are currently working on updating it this year and are asking for people to submit data towards it.

The OWASP Top 10 project is launching its effort to update the Top 10 again. The current version was released in 2013, so this update is expected to be the 2016 or more likely 2017 release. This time around, we are making an open data call so any organization with a broad set of application vulnerability statistics can contribute their data to the project. To make it easier for the project to consume this contributed data, we are requesting it be provided via a Google form. DEADLINE: Data must be submitted by July 20, 2016.

OWASP TOP 10 site accessed 13th July 2016

The reason the Mobile Top ten is up to date is because it’s a new addition compared to the OWASP TOP 10 project which has been running since 2003/2004 when mobile security really wasn’t what it is today.