The bind variables do indeed add to security, and that was the motivation that led aD to take this approach (I'm not sure if they were aware of the scalability side-effects, to be honest).
In fact, the bind variable emulation we added to the Postgres driver also adds to security. Considerably, actually. Proper use of ad_page_contract does, too.