Anyway GBAtemp does have SSL -- stick a https:// at the start of it if you want to see it. It does not do it by default/auto redirect to SSL for complex reasons, mostly that many users come from countries that dislike ssl.
No, not really. SQL Injection has nothing to do with the security of the connection, rather it has to do with the security of how you handle user input. Using prepared statements helps prevent purposefully mis-formed input data from corrupting your SQL queries.
If all of your users are trusted users who must log in, using SSL can provide some level of security against SQL injection, as you would be more confident that the users who get into your application would not be attempting to hack your system.
But SSL is no substitute for properly writing your database access code.
You've already figured that SSL doesn't prevent SQL injection so I'll refrain from mentioning that. (also, high five, you did the google)
As for your question, there's this little phenomenon that applies to any computer application, OS, hardware, etc.: there will always be bugs/exploits/vulnerabilities (note: don't take it too literally). So the technical answer is no, but the practical answer is yes. XenForo tries their best to prevent (and fix) issues in their forum software, and they also limit what pages can do to what they need to do so if a vulnerability is found it isn't as bad as it could be.