To make the concepts easily understandable, imagine a door and the security that is provided by the handle. In the absence of any security standard, the handle can be opened by anyone, and there isn't a lock on it.

WEP
Realizing that allowing anyone who wants access to the network isn't a good scenario for most environments, Wired Equivalent Privacy (WEP) was first added. It is a protocol originally designed to provide privacy "equivalent" to that of a wired network and was implemented in a number of wireless devices, including PDAs and cell phones. WEP is vulnerable due to weaknesses in the way the encryption algorithms (RC4) are employed. These weaknesses allow the algorithm to potentially be cracked in as little as five minutes using available PC software. This makes WEP one of the more vulnerable protocols available for security. 

As an example, the initialization vector (IV) that WEP uses for encryption is 24-bit, which is quite weak and means that IV's are reused with the same key. By examining the repeating result, it is easy for miscreants to crack the WEP secret key, known as an IV attack. To put it in perspective, the attack happens because the algorithm used is RC4, the IV is too small, the IV is static and the IV is part of the RC4 encryption key.

In the analogy, the door handle now has the ability to lock (or you can always choose to leave it unlocked as well). It is not a very good lock and anyone who applies enough force can still manage to get the door open, but the security it provides is enough to keep most people out.

WPA
To make the encryption stronger, Temporal Key Integrity Protocol (TKIP) was employed with WEP to create Wi-Fi Protected Access (WPA). This places a 128-bit wrapper around the WEP encryption with a key that is based on such things as the MAC address of your machine and the serial number of the packet. TKIP was designed as a backward-compatible addition to WEP and could use all existing hardware. Without the use of TKIP, WEP is considered weak. It is worth noting, however, that TKIP has been broken.

Continuing the analogy, the door handle with the lock now has a "helper" as well. This adds some limited security, but can still be broken by applying a bit more force. While an improvement, it is far from a great solution.

WPA2/802.11i
The main difference between WPA and WPA2 (Wi-Fi Protected Access 2) is that the former implements most -- but not all -- of 802.11i in order to communicate with older wireless cards (which might still need an update through their firmware in order to be compliant) and it used the RC4 encryption algorithm with TKIP. By comparison, WPA2 implements the full standard and is not compatible with older cards. WPA also mandates the use of TKIP, while WPA2 favors Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). CCMP uses 128-bit AES encryption with a 48-bit initialization vector. With the larger initialization vector, it increases the difficulty in cracking and minimizes the risk of replay. NOTE: The 802.11i standard is often most commonly referenced as WPA2, the name given it by the Wi-Fi Alliance.

Finishing the analogy, the door handle now has another lock -- a deadbolt, in this case -- added to assist. This increases the security over the other solutions. While it is still possible for someone whose life-goal is to gain entry to do so (by breaking the glass, driving a Trailblazer through the door, et cetera), it effectively keeps out all but the most committed.

For Exam Purposes
As a simplified timeline useful for exam study, think of WEP as coming first. It was fraught with errors and WPA (with TKIP) was used as an intermediate solution, implementing a portion of the 802.11i standard. The final solution -- a full implementation of the 802.11i standard -- is WPA2 (with CCMP).

Miscellany
Many networks will regularly broadcast their name (known as an "SSID broadcast") to announce their presence. One method of "protecting" the network that is often recommended is to turn off the SSID broadcast. The access point is still there and can still be accessed by those who know of it, but it prevents those who are just scanning from finding it. This should be considered a very weak form of security as there are still other ways, albeit a bit more complicated, to discover the presence of the access point besides the SSID broadcast.

Any wireless access point added to your network that has not been authorized is considered a "rogue." The rogue may be added by an attacker, or could have been innocently added by a user wanting to enhance their environment. The problem with the user doing so is that there is a good chance they will not implement the security you would, and this could open the system up for a man-in-the-middle or "evil twin" attack. An evil twin attack is one in which a rogue wireless access point poses as a legitimate wireless service provider to intercept information users transmit.

Be sure to change the default settings on all wireless devices. Never assume that a wireless connection is secure. The emissions from a wireless portal may be detectable through walls and for several blocks from the portal. Interception is easy to accomplish, given that RF is the medium used for communication. Newer wireless devices offer data security, and you should use it. You can set newer APs and wireless routers to non-broadcast in addition to configuring WPA2.