Maybe, it depends. What does the app do? If it's just a photo-sharing application, or a weekend project, then no. There's no expectation for the former to be secure, or for the latter to be a full-fledged product that meets standards.
On the other hand, if it is a file-sharing saas targeting small businesses, the failure to handle SQL injection or store passwords properly would be negligence.
I think it would be very easy to convince a jury under a straightforward liability framework that "failure to handle SQL injection is negligent". Which is unfortunate, because "failure to handle SQL injection" is by itself a mostly meaningless statement. Most SQL Injection flaws are indeed very dumb, very obvious bugs. But there are bugs that end up vectoring to SQL injection that are not obvious at all.
The question then becomes, who decides what that falls under? It's the kind of question that results in laws against braiding hair without a Cosmetology license.[1] And it's a lot easier to code for public consumption, given that all you need is a computer and an internet connection.
On the other hand, if it is a file-sharing saas targeting small businesses, the failure to handle SQL injection or store passwords properly would be negligence.