Interesting the idea but I've some point unclear...
You can do SQL injection using EXEC, but I think there's no injection possibility using the sp_executesql store procedure.
Is sp_executesql inneficient? Well, it reuses the execution plans because you pass to it the parameters to change.
Josep.