12 words provide the necessary level of security against someone trying to brute force your root seed, because they encode for the 128 bits of entropy needed. Any number of words, be it 12 or 24, provides no security whatsoever against an attacker who has found a copy of your words. This is the reason that passphrases should be used - not because 12 words isn't secure enough, but because it means an attacker needs to compromise two separate pieces of information rather than just one to be able to steal all your coins.