Only 10% of site are vulnerable to SQL injection and I'm not completely sure so don't take my word for it but I think SQL injection only works for sites that are running index.asp or something.
There are MUCH more vulnerable sites than this, just not popular ones designed by companies. You'll find plenty of them from people who just came out of college/university though. Point being, anyone new to designing database sites are likely to subject themselves to this type of abuse.
ASP isn't the only type of file that can be subjected to this issue, PHP, HTML and probably others as well - Anything that utilizes a database that takes input from the user and is not being filtered properly is at risk.
