It's not hard to do correctly. If you employ people to write SQL who can't tell the difference between string concatenation and parameterised queries, then your bar is too low. This can be learned in under an hour[0], and is the most fundamental thing to bear in mind when writing a query.

[0] https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection...