If objects are secured properly and authentication mechanisms are secure, then SQL injection should not be an issue. Remember that you can send any command over ADO.NET as long as the authenticated user has permission to perform that command. Since the code is controlling the SQL that is generated and sent to the server, you have to take measures to make sure the code is secure (appostrophes are escaped, etc.)

This is the same issue if you are using something like NHibernate--it needs CRUD permissions on all tables--versus using stored procedures for all access while locking out table access.

SQL injection is an issue when you are generating DML, so you just have to take proper measures to deal with it and then thoroughly test for known injection methods. This should be part of your coding/testing to start off with. Bunching commands together in one string vs. individual strings is the only difference.

I'm not saying this is the best way to do things, and there are a lot of things that can go wrong if you don't anticipate problems (i.e. injection), but it is another technique.