I studied the difference between 12 mnemonic words and 24 mnemonic words. BIP39 defines the generation algorithm for mnemonic words. The seed random number (random entropy) for generating 12 mnemonic words is 128 bits, with a cryptographic security strength of 2^128. The seed random number for generating 24 mnemonic words is 256 bits, with a cryptographic security strength of 2^256.
Alternatively, from another perspective, selecting a combination of 24 mnemonic words from a word library of 2048 words is equivalent to 2048^24 (close to 2^256), while selecting a combination of 12 mnemonic words is equivalent to 2028^12 (close to 2^128). Therefore, theoretically speaking, it is more difficult to brute force collide the 24 mnemonic words, making them more secure.
However, there is a famous theory called the birthday paradox, which states that if there are 23 or more people in a room, the probability of at least two people having the same birthday is greater than 50%. For 60 or more people, this probability is greater than 99%.
The birthday paradox has a significant impact on cryptography. Specifically, when the output length of a hash function is n bits, when the number of elements reaches 2^(n/2), the probability of two elements having the same hash value is approximately 50%. In other words, the cryptographic security strength of a 256-bit hash function is half of its bit length, which is 2^128, exactly the same as the cryptographic security strength of 12 mnemonic words. Currently, most public chains use a 256-bit hash function before transaction signing.
If an attacker can find two different input data with the same hash value, the attacker can exploit this vulnerability to perform collision attacks in the transaction signing process, such as taking a transfer transaction that has already been recorded on the chain and colliding the hash value (by modifying the receiving address of the transfer, for example) to create a fake transaction.
In other words, the weakest link here is not the mnemonic words or the private key, but the hash algorithm used in transaction signing (or the difficulty is similar for both). Instead of colliding mnemonic words, attackers would rather collide transaction hash values (although both are almost impossible).
Therefore, it is not the case that the more mnemonic words, the more secure. 12 mnemonic words are sufficient, with a cryptographic security strength of 2^128. Increasing the number of mnemonic words does not improve cryptographic security strength. More mnemonic words will only increase the difficulty of storage.