• it is in general more secure. When a Statement is constructed dynamically from user input, it is vulnerable to SQL injection attacks. PreparedStatement is not vulnerable in this way.
• there is usually no need to worry about escaping special characters
• if repeated compilation is avoided, its performance is usually better

In general, it seems safest to use a Statement only when the SQL is of fixed, known form, with no parameters.