Static statements with host variables are not susceptible to SQL injection attacks.
Non-parameterized dynamic statements are what you need to worry about... They would look something like so: (my COBOL is rusty)
STRING "INSERT INTO TBL (a,b,c) VALUES ("
X ", "
Y ", "
Z ")" INTO WSQLSTMT.
EXEC SQL PREPARE MYSTMT FROM :WSQLSTMT END-EXEC.
EXEC SQL EXECUTE MYSTMT END-EXEC.
Note that you could use EXECUTE IMMEDIATE, in place of the two step PREPARE and EXECUTE
In contrast, a parameterized dynamic query looks like:
STRING "INSERT INTO TBL (a,b,c) VALUES (?, ?, ?)" INTO WSQLSTMT.
EXEC SQL PREPARE MYSTMT FROM :WSQLSTMT END-EXEC.
EXEC SQL EXECUTE MYSTMT USING :X, :Y, :Z END-EXEC.
In summary, a static query with host variables like you original posted is SAFE as is a parameterized dynamic query. A non-parameterized query that directly uses the user input to build the SQL statement to execute is NOT SAFE.
The key thing to understand is that the statement must be compiled (PREPARED) in advance before the run-time values of the variables come into play. In you original static statement, the statement is prepared automatically at compile time.
Side note, since a static statement is prepared at compile time, it performs better than a dynamic statement prepared at run time. So it's usually best to use static statements whenever possible.