So, we patch our servers, subject them to numerous security scans, implement security best practices and expect them to be secured? That's ridiculous.
I have been trying to convince developers how a functional application can be vulnerable if they do not implement security best practices in writing codes. I come from a developer background as well and with tight and unreasonable deadlines, developers are only concerned with functionality and nothing more. But with the increasing incidents of websites being defaced because of SQL injection attacks, there's no doubt that as long as applications are running on servers, there will always be security vulnerabilities. SQL injections attacks are no respecter of platforms nor database engines. So better have a look at your application codes.
A Microsoft blog post on SQL injection attack is available here.