Perhaps its just a figure of speech, but the fixation on firing people for this seems misplaced.

Surely, coding to prevent SQL Injection is a learned skill, like many others.

If a company had rigorous guidelines, training, or quality control initiatives and a programmer stubbornly refused to change coding pratices, then termination makes sense. Otherwise, it seems like it falls into the category of a teachable mistake.

The ultimate responsibility for public errors, incursions, and data loss should rest much higher in the organization.