You make a very good point. We aren't always able to change all existing code to fit a newer and better way of doing things when we discover them.
On SQL injection, basically the read the paper I linked to. This is by far the best thing I have read on the subject. The comments I made on SQL injection are a rough and condensed version of what I picked up from the paper.
I can't point to any neat papers on how to use SQL Server, I can only speak from my own experience and from the comments of others on this and other mailing lists. SQL Server is extremely good at working with data, so that is what I use it for. All data manipulation is done in stored procedures, ie no SQL is ever generated or executed in the app. Instead procs are executed.
Sounds like you have a good handle on layered development.