I don't know: their observations square with my anecdotal observations over 10 years of appsec consulting. On my first ever web pentest, I got a 'OR''=' SQLI in the username of a login form. In 2014, when I left Matasano, that would have been absolutely shocking. SQLI has become far less common:
* Developers are taught to use parameterized queries
* Fewer big applications are built in PHP
* More projects use ORMs now than don't
* Random testers hoping for bug bounties hammer every application with SQLI scanners
Anecdotally, I've recently come across XSS in search fields and SQL injections in login forms.
One could argue that because of reputation and market share, Matasano gets customers who prioritizes security, making such vulnerabilities less occurring for Matasano customers.
Your points are valid.
Even if secure development practices exists, there's a lot of software in production being run by companies and government agencies with a very poor understanding of these practices. It may also be that these entities have very good security departments, but these departments are very limited in what they can improve internally because of lack in resources or policies.
As someone who's actively engaged in webappsec stuff, I concur with Thomas's observations.
XSS is far more prevalent, and I'm more likely to find PHP Object Injection via unserialize() protected by weak md5/sha1 auth (or outright naked) than I am to find SQLi in modern PHP apps.
* Developers are taught to use parameterized queries
* Fewer big applications are built in PHP
* More projects use ORMs now than don't
* Random testers hoping for bug bounties hammer every application with SQLI scanners