The service accounts that your web sites use to connect to the SQL database, can be locked down to only permit stored procedure execution, and of course, those procs must be written to validate input parameter values. So with the right precautions, SQL injection vulnerability can be reduced.

TDE of course, protects your data at rest, ie if someone gets ahold of the MDF file.

Nice article, thanks Steve!