SQL injection vulnerabilities aren't something which ship by default that administrators need to fix using plugins or additional files. MyBB is well protected against SQL injection vulnerabilities (although there are definitely some unknown ones which exist). You're more liking to be hacked via SQL injection
by adding plugins as third party developers often overlook the security aspect of their plugins.
Keep your forum up to date, disable error messages in production (but keep logging enabled), and use common use when it comes to security. If your admin password is '123456', or you have 80 plugins installed, or you're not taking regular backups, then there is an obvious issue.
Security is a process, not a product. You will get hacked at some point. It might be tomorrow, or in 10 years time. You just have to ask yourself if you've done enough to protect yourself and your member's data. If you ever think you've done enough, go back and review your security again. There's no such thing as "secure", but you can be at least relatively secure.
No longer involved in the MyBB project.