Regardless of whatever theoretical difference, neither
PDO::exec() should be used anyway. These functions don’t let you bind parameters to the prepared statement and should never be used.
prepare()/execute() instead, especially for UPDATE,INSERT,DELETE statements.
Please note that although prepared statements are widely advertised as a security measure, it is only to attract people’s attention. But their real purpose is proper query formatting. This gives you security too – as a properly formatted query cannot be injected as well – just as a side effect. But again – formatting is a primary goal, just because even innocent data may cause a query error if not formatted properly.