It doesn't cost more to not write a SQL injection vulnerability. It just takes a programmer who has a basic understanding of internet 101, and who while writing any line of code involving user input will ask himself "how will these assholes use this to fuck with my system". As long as one line of code can take down your whole infrastructure, and unless all devs of anything serious have a minimum competency level, we are doomed to continue the current path, with a major data leak pretty much every week.

So it will probably take a combination of new, safer programming languages, and minimum proficiency levels, enforced with regulations. I don't like it, but I don't know a better solution, and the statu quo is unacceptable.