Out of the box, SharePoint 2010 has no known SQL Injection vulnerabilities. You are right in so much as you should take steps to protect the hosting IIS server, and ensure that all security updates are applied. SQL Injection is much more likely when custom
code is deployed within the SharePoint environment. There is no direct passing of input data from the query string or POST back to SQL server within SharePoint 2010.
Cheers
Spence
www.harbar.net
Microsoft Certified Master | SharePoint 2010
Microsoft Certified Master | SharePoint 2007