While I think that you're generally right ("SQL injection is a web application problem"), I still think it is a problem "directly related to an ORM". Your claim made me think about this issue and I wrapped it up in a blog post here:
I can back up the fact that SQL injection cannot and should not be prevented in ActiveJDBC, given that some of its main API elements are "SQL injection methods", such as where():
Employee.where("department = ? and hire_date > ? ", "IT", hireDate)
But I think that ActiveJDBC should actively position itself with respect to this topic. Tell me what you think!