Just because a vulnerability is common and easy to avoid won't stop lazy and/or incompetent devs from making it. I mean SQL injection is still incredibly common despite being easily mitigated by really basic knowledge and despite being handled properly by the most common data access libraries in every single programming language.