The point is that it still costs more, on average, to hire the person who understands how to avoid SQL injection by using the right tools/syntax. The person who only understands string concatenation and basic SQL will always be available to hire.
And again you are assuming that these vulnerabilities are introduced by cheap untrained or foreign programmers. Massive silicon valley firms who pay top market rates do the same mistakes. I am sure there is a correlation between pay level and understanding of security but we are very far from a position where if you hire a team of developper, a business can have any confidence that they won't do something dumb like md5 a password, concatenate a string in a SQL qry, rely on user supplied array length in an unmanaged language, not protect themselves against CSRF (I suspect 50% of professional web dev still don't even know what it is!), etc.
> I am sure there is a correlation between pay level and understanding of security
Good, then maybe you can see a path forward to stop arguing the opposite?
Yes, it is possible to pay a lot for a little. Developed country, less developed country, wherever. It remains, nevertheless, relatively less expensive to hire an inexperienced coder than it is to hire an experienced one, who has a greater likelihood of being security-conscious. But no formal mechanism prevents the inexperienced coder from finding work cranking out unreviewed programs.
