Microsoft, PHP, Perl have all had built-in functionality to avoid SQL injection for 10+ years now. Every single "corporate" developer I have met does not use it (except some of the perl-heads). Interestingly enough the non-corporate ones do.

Every time I work with a new team I have to teach them. And every time I leave a team which has started working properly using the so called prepared SQL statements and SQL variable substitution I find them to revert to the old injection-prone practices a few weeks later.

The truth is - developers do not care.

Me coat. The one which says "SQL injection is a self-inflicted problem".