They had a product that interpolated untrusted data into trusted SQL strings, but being told about it (and many other vulnerabilities!) was all that was required to make them watertight.

I would be very happy if you right about this.

Whitelisting is usually easier than blacklisting, and not devloping brittle features where errors have security implications is usually easier than spending money on security after the fact. However not developing features is not something we as an industry is good at. Github Actions perhaps being the most recent example of this.