I see two possibilities here:
-
Your customers are the WTF because they think they found a vulnerability when there is none. However, I don't know how likely it is that three different customers come up with the same false positive independently of each other (unless you have hundreds of other audits that didn't find a problem).
-
You are the WTF for refusing to look into a security issue. SQL Injection vulnerability is not a bug in the database connection driver, but a wrong way of building requests in the application code. It does not need a working exploit to prove the existence of a vulnerability. Sometimes, a vulnerability isn't even exploitable because of some lucky coincidence in the surrounding application code, but that luck may turn every time you make a change. So stop complaining and sanitize your database inputs. (insert xkcd reference here)