James McGovern simply confirmed what I have observed all along:
I then asked, how many of them actually had a software development background and pretty much every single hand in the room dropped.
This is why we, who do have a software development background, pretty much discount just about everything "security professionals" say. Not only are the overwhelming majority of "security professionals" ignorant of software development and actual code, they seem to be intimidated by anything that's not sold in a black box that they can push buttons on.
Instead of focusing on what not to do, perhaps they should start focusing on how to do something securely. And at the very least, learn enough SQL so a properly parametrized query can be illustrated on a whiteboard.
I have yet to come across a "security professional" I can't send packing after speaking 3, simple words: "Show me code."