It's amazing how many SQL Injection vulnerabilities I see in brand new code. At least with an ORM, this is abstracted away unless you try extremely hard to create such a vulnerability.
Demonstrate how easily and accidentally one can make an SQL injection with these: