I have heard that when you use an object of the class Statement, that your software is vulnerable to SQL injection. It seems like the Statement class should never be instantiated, and instead, you should always instantiate a PreparedStatement instead (which is a subclass of Statement).
I can't think of any use of having the Statement class anymore except that it is a super-class to PreparedStatement.
Yes, you should (see this blog post, tip #2). There's a big difference between "what could be done" and "what should be done". In short, it makes your code a lot easier to maintain should you decide to add parameters later on. Even if you don't parametrize the query, prepared statements may be pre-compiled by the JDBC driver, meaning call the same PreparedStatement object 10x could (or rather should) be faster than calling the same Statement object using the same query 10x.
He was asking this in perspective of SQL injections.
But indeed, a PreparedStatement is faster than a Statement. That's another reason of preferring it over Statement. Another more reason is that it really eases setting non-standard Java objects such as Date and InputStream in a SQL string. You just use PreparedStatement#setDate() and #setBinaryStream() instead. No hassle with nasty conversions.