The thing is, most website use software that wasn't developed in house.
I agree, we ran into the same problem - what we did though was scan through the code looking for (ASP/VBScript Site) "Request.Form" and "Request.Querystring" to see where they were accepting input and made sure that we were sanitizing the input at those locations. It's not ideal, and it feels like a bit of a hack, but it has worked quite well. Also, we approached the original author for fixes - though in our case we didn't get results.
We are in the future going to move to our own application, which we know is secure, but for now this has worked. And I wholeheartedly agree that getting a vulnerability scan is worth it as well, even if you wrote your own code.