Can parameterized statement stop all SQL injection?

Question

If yes, why are there still so many successful SQL injections? Just because some developers are too dumb to use parameterized statements?

Answer 1

I wouldn't say "dumb".

I think the tutorials are the problem. Most SQL tutorials, books, whatever explain SQL with inlined values, not mentioning bind parameters at all. People learning from these tutorials don't have a chance to learn it right.