Have you done any manual testing of the areas the tools identified? If you can prove through a workable exploit that a real vulnerability exists that might make a big difference. If you have confirmed a vulnerability and your developers are telling you it can't be fixed you have a problem. I would recommend spending some (a lot) time on the OWASP website to better educate yourself on these vulnerabilities and the different strategies for preventing them. Here is a link to the OWASP SQL Injection Prevention Cheat Sheet and the OWASP XSS Prevention Cheat Sheet for your developers if they need assistance fixing these vulnerabilities.