I recently crawled the top million websites (alexa) and pulled data relating to the usage of HTTP Headers, such as HTTPOnly cookies, X-XSS-Protection, X-Frame-Options and X-Content-Security-Policy.

See the results here: http://hackertarget.com/http-header-security-analysis/

Who implements these policies on the web servers they run?

According to the stats < 1% of sites in the top 1 million are setting these headers for most of the options.