The extra words do not provide any meaningful security to your wallet.
I'd like to examine the chances.
Let's assume that someone wants to brute force a certain legacy address you own, knowing that you've derived it from a master private key that was also derived from a seed. Let's also assume that he knows the derivation path of your address.
The chances of finding your address are 1 in 2
160, since he'll stop once he successfully finds your RIPEMD-160 hash. Whether he tries on twelve or twenty four words (128 or 256 bits), he'll stop once he finds the hash collision.
This means that on average, finding your seed phrase will be 2
32 times easier than with brute forcing the address itself,
excluding the different operations that need to be taken for a seed and for just an address.I'm just adding the numbers
decimally:
2^128 = 340282366920938463463374607431768211456 (12 words)
2^160 = 1461501637330902918203684832716283019655932542976 (RIPEMD-160 hash different combinations)
2^256 = 115792089237316195423570985008687907853269984665640564039457584007913129639936 (24 words)
So yes, it may not provide any significant security to your wallet. It just makes brute forcing meaningless, since it'd be quicker if you brute forced the address instead of the seed phrase.