Short answer
Mathematically 24 words is more secure (256 bits of entropy vs 128 bits), but 128 bits is already far beyond any conceivable brute-force threshold for current and foreseeable computing. The advantage of 24 words is real but theoretical — relevant for post-quantum scenarios and some institutional setups. For individual holders, the practical security difference is essentially zero. 12 words is shorter, easier to transcribe, and less error-prone.
Why 128 bits is "enough"
BIP-39 specifies 12 words = 128 bits entropy + 4 checksum bits; 24 words = 256 bits + 8 checksum bits. The only attack is guessing. 2^128 ≈ 3.4 × 10^38. Assume every GPU on earth (about 1 billion units) trying 10 billion hashes per second: total time to enumerate is approximately 10^12 years — the universe is currently 1.38 × 10^10 years old. The math doesn't get any better by being clever.
This is why cryptography literature treats 128 bits of symmetric-equivalent security as "indefinitely safe." Not because it's mathematically unbreakable but because no one will outlive the attack.
When 24 words actually helps
Three scenarios. First, post-quantum: large-scale quantum computers running Grover's algorithm effectively halve the security level (128 bits → 64 bits, breakable; 256 bits → 128 bits, still safe). NIST published post-quantum standards in August 2024, but practical quantum attacks on Bitcoin are 2030+ at earliest. Second, defense-in-depth at the institutional level. Third, the BIP-39 passphrase derivation function (PBKDF2) treats both as input — 256 bits gives more headroom.
The transcription tradeoff
12 words is materially less error-prone to write down. Steel backup plates with 12 slots cost half what 24-slot plates cost. The marginal security gain of 24 over 12 is not worth the operational risk for most US holders. Ledger and Coldcard default to 24; MetaMask defaults to 12 — both are correct decisions for their respective audiences.
Further reading: Private keys and seed phrases, BIP-39.