Virtually every organization i've seen, private or public, that isn't focusing on secret or higher clearance data, doesn't spend more than a weekend on appsec. Even organizations that have security teams dedicated to trying to secure its appsec infrastructure often do it as a black box, or after it is already in production.

Aside from that? It should just be expected that any system that uses a structured query language and can receive user input is vulnerable to injection.