Yes. For example, SugarCRM is adding prepared statement support which mitigates any potential SQL injection problems. I mention this since it was posted just this last week. These changes are very large and far reaching so it does take time.
Prepared statements were considered the best practice for over a decade now. I know these things take time but the fact that this is just happening now is actually more cause for alarm, not less.
Great stuff again Matthew :), your blogs are always easy to read and helpful!
Personally I think that string concatenation in query building throughout the Sugar code base (campaigns, workflows) is very problematic and could also be exposed in a couple of scenarios. But like I said, this seems to be the work in progress currently at Sugar.
Hopefully Sugar will come forward with a response to these allegations because these are serious security risks.