Flat out, if you're not parameterizing the queries in some method, through stored procedures, through the code, or through parameters defined in sp_executesql, you are almost absolutely at risk of SQL Injection attacks. Period. Full stop. Doesn't matter if it's one query or one million. You're at risk if you're not using methods that ensure only appropriate data can be sent into queries in your system. The way to ensure that is using parameters. That's it.

Now, none of this says you MUST use stored procedures (I hate that argument). However, just generating dynamic T-SQL, using pretty much any method, can be vulnerable unless that T-SQL is parameterized. You can see in the code examples that I link to, you're not limited to stored procs. However, you have to write the code correctly, or your business is vulnerable.

To quote my kids, it's current year. No one should be writing code any longer that isn't dealing appropriately with this issue.