As noted by us-cert.gov there are many methods of taking advantage of SQL injection opening in a website.
The real problem is when companies don't admit to the breaches occuring.
At Security magazine they did a survey189,650 respondents:
15% of respondents said that there was a data breach, and 20% from servers.
15% of 189650 = 28447 breaches.
So there were plenty of problems in corporate America in the security area. and 89% think they have handled the issue.
Obviously there is a disconnect. this is assuming the other 160,000 are being truthful.