Can you please explain how it increases the security?

Most of work is behind the scenes. The DBI uses the placeholders to register a host variable via the database's CLI (call level interface.) When the values are passed to the CLI, they are contained and can only be values. Hence, no matter what is passed, it cannot adversely affect the statement.

When placeholders are not used, the statement is not a statement until the variables are interpolated into the text. So, the statement might not be what it seems. Further, due to quoting and formatting, all sorts of things might need be done to variables, whereas placeholders need no such help. Finally, placeholders are (ultimately) strictly typed. Possibly making errors a little more sensible.

This is aside from performance gains (when the statement (or, in some case, even a very similar statement) is executed multiple times) and self-documentation. Please, especially after doing the upload correctly and having this code most of the way there, don't use dynamic SQL.