In an informal study, Michael Sutton of SPI Dynamics was able to demonstrate that 80 out of 708 tested web sites were susceptible to SQL injection attacks.
In order to limit the test to sites that used a database, he first performed a Google search for sites with URLs containing "id=10". The assumption was that any site using a name=number pattern in the query string was most likely doing a database lookup. Using this, 1000 sites were selected.
After removing duplicates and non-functional sites, Michael Sutton was left with a pool of 708 candidate sites. By altering the query string, he found that 80 sites were returning error messages that suggested they were vulnerable to SQL injection attacks.
While study may not be formal enough for an academic paper, it does suggest that SQL vulnerabilities are a wide-spread problem among websites.