I think the main problem is about the way govt & medicine requires system, instead of building something with some precises requirements, they mainly want something that just "works". Prepared statements have been around for a long time but main developments groups that are liked by governments still base their codes on old habits. In france, in the PACA region we have a centralized network that have been built last year by the same team as always. Not only the frontend is completely outdated (not even respecting HTML3 rules), the backend is rigged with bugs and flaws and the SQL database and the LDAP are pretty much completely open to people with a bit more skills that the average professor or student.
Edit:
I forgot to add:
The systems they are using are mainly completely outdated systems and there is almost only string concatenation for request building, didn't see any prepared statements.
