An argument for using SPs and only SPs is if you allow query passing and your website does get owned, the database can be queried with anything.
I was going to say something similar. I always work on the principle that 'the client can never be trusted'. In the case of a database, a client is anything connecting to the database, not just a traditional client machine. So a web server would be a client to the DB, and if the web server got owned then the SQL could all be rewritten. It would be even better if there was another authorisation & authentication layer between web server and DB on a different virtual or physical machine that held the DB connection information. The chances of such a mid-tier being owned as well as the front end / web server is even less then.