DOM corruption is a somewhat complex class of vulnerabilities (see lcamtuf's "Notes From A Post-XSS World" for an example of why), and it's not surprising to see we're making less progress.
White Hat has a set of tests they run against their customers over time. They tell their customers what problems they find. Their customers (mostly) fix the problems.
I'm not sure that translates correctly to the outside world. The fact that their stats show a decline in the presence of SQL injection vulnerabilities could only be showing us that they have more old customers that have gone through a couple of reports and patch cycles than they have new customers who might not yet have fixed what they're told to fix.
* Developers are taught to use parameterized queries
* Fewer big applications are built in PHP
* More projects use ORMs now than don't
* Random testers hoping for bug bounties hammer every application with SQLI scanners
One could argue that because of reputation and market share, Matasano gets customers who prioritizes security, making such vulnerabilities less occurring for Matasano customers.
Your points are valid.
Even if secure development practices exists, there's a lot of software in production being run by companies and government agencies with a very poor understanding of these practices. It may also be that these entities have very good security departments, but these departments are very limited in what they can improve internally because of lack in resources or policies.
There's a lot of companies out there who outsource a lot of stuff to people who don't know how to write secure code. Like White Hat (Error138): https://github.com/WhiteHatSecurity/Aviator/blob/e2d03093b94...
There's a lot of different angles to it.
XSS is far more prevalent, and I'm more likely to find PHP Object Injection via unserialize() protected by weak md5/sha1 auth (or outright naked) than I am to find SQLi in modern PHP apps.
