If I design a bridge without calculating load rating I’m knowingly, as an engineer, putting public safety at risk. Hand crafted SQL statements without sanitizing input in 2020 are same level of negligence from software engineers - you know you’re putting your system safety at risk.
If you were writing SQL queries and not sanitizing inputs in 2010, shame on you. If you're doing so in 2020, you have no excuse. Even if you never read any tech news, all of the major languages and frameworks make it easy to parameterize inputs and hard to do it wrong. Every SINGLE guide about writing SQL on the internet will give this exact code as an example of something not to do. If you're this ignorant, that kind of flagrant disregard means you don't deserve the title engineer - much less "CTO".
Having no clue and doing nothing to remedy it is negligence. SQL injection vulnerabilities in particular are so infamous that parameterized queries have become the default interface. It's the path of least resistance and people have to go out of their way to avoid it.
Unpopular opinion - we should stop pretending that reading few tutorials and competing coding bootcamp, or taking few CS classes makes you an engineer.
It can make you a developer, aka code monkey, but proper engineering requires more comprehensive training, that focuses a lot not only on basic coding skills, but teaches you about design, managing lifetime of products, security/safety/ethical considerations, etc.
A lot of people who call themselves engineers in IT fields are much closer to code monkeys than engineers.
