I mean that they were doing simple things like replacing a single quote (dangerous!) with a double single quote. E.g.: ' -> ''

That means that when a user called Bob O'Neill enters their name, instead of returning a HTTP/500 error, the database stores Bob O''Neill.[1]

Then when the user goes to edit their form, they will see O''Neill. Okay, oops, that's a mistake, let's just replace all double single quotes with a single quote when outputting HTML! Now it'll say O'Neil correctly!

Of course, if you enter some bad text with double single quotes via some other mechanism such as a CSV upload, there's a decent chance that'll it'll be incorrectly stripped. Perhaps in some mid-tier API, which will then interpret it as a single quote, resulting in an injection vulnerability (or data corruption) again.

That can be fixed with "mere" man months of effort instead of the minutes it would have taken to just use the parameterised queries like God intended.

Now that that nightmare is over once and for all... what to do about % symbols screwing up LIKE searches? I dunno, that's complicated, so let's just replace all...

... rinse, repeat, ad infinitum.

[1] Oh, oh, you assumed that the query engine would replace '' with ' and the database would store the correct text? Hah-haaa.... you assumed that this "fix" was applied only once! What's fun about band-aids is that they're so easy to accidentally layer three or four deep without even realising. More band-aids == more safe, am I right?