Most languages have a way to avoid SQL injection attacks, and linters that enforce usage of that.
For bad workplaces just using an ORM is a lot safer though, I agree. Performance can quickly become an issue when people stop thinking entirely about the DB level operations happening, and this comes up much quicker at workplaces where not enough people care.
I've seen raw SQL queries full of fatal SQL injection bugs like these in littered in codebases, very cringeworthy.