I would advise against dynamically linking. From the last 20+ years of VST experience, I can tell you that you will get people manually moving the .dll files across computers, never having installed the runtime. Your plugin won’t even load and the error message is about some missing DLL that no non-power user will understand. Or they install some other piece of software, that installs some outdated or updated version of the same runtime, causing you problems now. Google “dll hell” and you will understand.
The argument that you’re missing out on bug-fixes or that there may be exploits in the current version you’re statically linking is extremely thin, unless you use a LOT of very Windows specific system calls, you won’t be affected by any of those “bugs” or “exploits”. I would argue that dynamically linking is a lot more dangerous, because code you have no control over might magically get changed without your knowledge or consent. What if Microsoft release a new version of the runtime that causes problems with your plugin, because they “corrected” some behavior and the new version is the de-facto correct one, then you will have to change your plugin to make it work again. You better hope it works with the old and the new version, because you have zero control over which versions people might have installed, sometimes through other software that installed its “best runtime”.
Pick the path of least resistance and simply statically link. Your users will thank you. Less hassle and problems during installation. The fewer external dependencies you have, the better.