This is a short one.
OWASP Top 10 is not a standard, though it's often used as such. It's an awareness document.
I've seen so many cases of people and organizations claiming that their solutions are secure, since they use the Top-10 list in their work, track Top-10 occurences – or that they're in compliance with OWASP Top-10, which doesn't make much sense...
Knowing about and acting upon the relatively simple vulnerabilities in the Top-10 list is a good start, but it's not by itself enough of a basis to claim good security™. There's more to know, and many places security should be plugged into your lifecycle – for instance:
- What's Next for Developers
- What's Next for Security Testers
- What's Next for Organizations
- What's Next for Application Managers
- OWASP SAMM (Software Assurance Maturity Model)
If you're looking for a (compliance or regulatory) standard, look to the ASVS (Application Security Verification Standard), or similar projects.