Definitely not true, I've encountered plenty of SQL users at work who never heard of injection attacks or parameterized queries. Some of them even built some ad-hoc query builders to replace some of their own repetitive queries. (Note that parameterized queries alone are not sufficient: often people would try to parameterize table or column names.)