SQL injection is probably malformed input in lots of cases and should return a 400 Bad Request. If you are returning a 200 maybe you really did want to take SQL (think of Mode or PHPMyAdmin).
That's the entire point of hacking, circumventing protections that the server has in place to get a response you were not supposed to get. The status code is irrelevant.
The same applies in the real world too. If I perform a social engineering hack and get you to pay a fake invoice, it's still theft (or fraud), even though someone willingly and deliberately sent you money.
That assumes that the server recognized it as invalid. It it had, then it should take measured to block the input, but if the attack succeeded then the server would not be recognizing the attach and would respond with a 200
The same applies in the real world too. If I perform a social engineering hack and get you to pay a fake invoice, it's still theft (or fraud), even though someone willingly and deliberately sent you money.