See ComputerWorld's SQL Injection Attacks Lead to Heartland, Hannaford Breaches for more on this topic.
I'm amazed because SQL injection is entirely a preventable bug. Yet, it's the top attack technique.
That's an amazing indictment of the programming profession. There are so many shoddy, incompetent programmers (and shoddy, incompetent customers of programming services) that SQL injection is the top attack technique.
I almost forgot the obligatory XKCD comic: http://xkcd.com/327/