No, it's not surprising. SQL injection vulnerabilities are all over the Internet, including all over high profile sites. They are so prevalent that I will often do "real-time" hacking. During a presentation, I can find a completely new website and demonstrate that it's (almost certainly) vulnerable to SQL injection in under a minute.
The reason SQL injection works is that whereas most systems separate code and data, SQL combines them together. All a hacker needs to do is include some of his own code with the data he sends to a website, then he can gain control of the website.
Such code often starts with the single quote (') character. SQL interprets this as the boundary between code and data. It assumes that anything following a quote is code that it needs to run. Therefore, you can quickly tell if a website is vulnerable to SQL injection by simply typing a single-quote in the URL or within a field in the webpage. Security professionals inadvertently find such sites all the time because the quote ['] key is right next to the [Enter] key on American Qwerty keyboards. (Curious security professionals make this typing error with unusual frequency :-).
The above article points to the following webpage on the U.N.'s website:
In the picture, hackers have added a single-quote (') to the end of the last field "statID" in the URL. As you can see, the server responds with an SQL error message telling us it attempted to interpret that single-quote as code. Therefore, we can be fairly certain that this site is vulnerable to SQL injection. (Note that we cannot be absolutely certain without successfully hacking the site, but such error messages are 99.9% reliable in determining whether a website is vulnerable).
Let's do some real-time hacking. I went to Google and typed in "allinurl:statID" (using the same field as in the U.N. site). I went to the second result returned by Google, typed the single-quote (') character in the 'statid' field, and was rewarded with the following error message:
OraOLEDB error '80004005'
ORA-01756: quoted string not properly terminated
/app/contents.asp, line 1470
This is why people talk about "Google Hacking" - if you want to find a website to hack with SQL injection, you can use Google to find vulnerable websites for you. Curiously, the vulnerable United Nations website is the seventh result returned by my Google query. There appear to be many other vulnerable sites in the returned results, including one that might give me access to some SCADA systems.
One of the eternal mysteries of hacking is how can it be so easy? Hundreds of thousands of teenagers have the skills to hack these sites. You would therefore expect that such sites would have been hacked already, and once hacked, they would be fixed. Basic economics tells us that easily hacked websites should quickly be removed from the net, leaving only those that are hard to hack. Yet, the evidence says otherwise. I really have no answer to this question.