"I have heard" is not the fact. Give us some facts or exact URLs, may be there is something we don't know about.
We fix XSS and SQL injection issues as soon as they come up. What you may read / browse on Internet, could be outdated. If you are reading news or text regarding this, pay attention to the publishing date. Some news are marked 2008, 2006 or even 2004. Of course, we have fixed all those issues long time ago for the recent release.
BTW any website using open source software, is in danger. All websites using Wordpress are in danger. All forums using phpBB or vBulletin are in danger. Come on, you life is in danger every second. Be serious about such complaints.