Set the amnesty date in 2003 and you'd have to fire some Microsoft programmers. I was shocked to see sample code on the architecture and practices site with concatenated queries much later than that.

Worse still, recent version of SSIS have decreased the opportunities to add parameters to queries on sources, opting for expressions. The chance of a SQL Injection in SSIS is very rare, but it sets the wrong expectations and habits.

It is a correct observation that this problem stems from low cost which is further fueled by the low barrier to entry. As a profession, we have done a bad job of setting standards and communicating the value of those standards.

I expect this will get much worse before it gets any better. New web companies emerge every day and each is an opportunity for bad code to expose private information. As far as fining the offending companies...the big guys have their license agreements written to exclude damages incurred from their bugs. I don't expect that to change either.