your own websites and databases. The tools are out there, they are free and they can be automated. What's more the results can be searched, so how hard can it be?
There is no excuse for having a database vulnerable to injection, just as there is no excuse for storing passwords in plain text. I don't have an excuse for not testing my MySql backend yet, and to be honest I can't think of one so I better get my finger out and blindly poke it around my backend just in case
Don't Symantec do security?