In just about every case imaginable, I would use a connection pool. The aspects of maintainability, performance, and implementation have been taken care of for you. Most servers provide a built-in data source for you that can be accessed through JNDI, and there are standalone connection pools as well.
As for security, use prepared statements for any query that requires user input for a parameter. That way, user input can never allow a SQL injection attack.
And about your questions:
4.1: Ideally, each page request will use 1 connection. So in order to figure out how many total pooled connections you need, you've got to do the math on how many requests you'll be getting per average query time (say, requests per second). Unless that number is high, then the default number of connections provided by most connection pools will suffice (usually 20, from what I've seen).
4.2: You can use either a Statement or PreparedStatement from the Connection you get from the pool. In most cases (including any in which user input is used in the query), you should use PreparedStatements.
4.3: If you put your connection closing code in the finally block of a try statement and remember to do this every time you access the database, then you should never run into the problem of running out of connections.