Yes, but they don't parameterize the sort order on every sortable table, or the limits used in pagination, or the custom join expressions ORM developers inevitably write.
Same can be said for sprocs. Any popular ORM will have proper handling for parameters. In both cases you can't rely on the tool, you have to know what you're doing.
It's true that stored procedures can be injectable, but it's extremely rare, and you can find the 0.1% of them that might be with a simple grep regex, unlike ORMs.
