1. If the query is hardcoded, no; if the query uses dynamic data, I would suggest using CFQUERYPARAM, anyway.. why risk it?
2. I, personally, despise CFUPDATE. I don't think it's safe. Plus a standard query/SP gives much more granular control.
Just my $0.02 worth.
If it's a dynamic as opposed to a static value, it should be passed as a parameter.
I detail the whys & wherefors in this article, which might be useful to you: http://adamcameroncoldfusion.blogspot.co.uk/2012/07/what-one-can-and-cannot-do-with.html
Thinking about it, even with a static value I might consider parameterising it: it's a VALUE, not part of the SQL statement. I think people most often hard-code these too, though, because they don't change, so will not impact the query compilation process.
As for <cfinsert> and <cfupdate>. They certainly didn't USED to be parameterised. I think they are now, since CF9 though. I'm pretty sure if you have DB debugging displaying, the generated SQL from these tags is output, so you could check...
Thank you for the link to the blog, Adam. Nice article! Was not aware of how the process works. (I love CF, but never really learned the inner workings.)
Just to follow up on the <cfinsert> and <cfupdate> thing, I've done some investigation there too: http://bit.ly/MN0XYS.
The important bit is that these two tags do indeed use parameters for their values these days (and since at least CF8.0.1), so that's something.