No, this is not too much. The first cfqueryparam job is data binding. It helps in sql injection, it is just an added bonus. Ready-made statements through data binding are faster. You are mistaken in believing that it is there that you can only help prevent sql attacks.
Important Note: I am adding a test case provided by @Dan Bracuk on oracle db.
<cfquery name="without" datasource="burns"> select count(*) from burns_patient where patientid = 1 </cfquery> <cfquery name="with" datasource="burns"> select count(*) from burns_patient where patientid = <cfqueryparam cfsqltype="cf_sql_integer" value="1"> </cfquery> <cfscript> TotalWithout = 0; TotalWith = 0; </cfscript> <cfloop from="1" to="1000" index="i" step="1"> <cfquery name="without" datasource="burns" result="resultwithout"> select count(*) from burns_patient where patientid = 1 </cfquery> <cfquery name="with" datasource="burns" result="resultwith"> select count(*) from burns_patient where patientid = <cfqueryparam cfsqltype="cf_sql_integer" value="1"> </cfquery> <cfscript> TotalWithout += resultwithout.executiontime; TotalWith += resultwith.executiontime; </cfscript> </cfloop> <cfdump var="With total is #TotalWith# and without total is #TotalWithout#.">
The total amount is from 700 to 900 total milliseconds. Without a full range of 1800 to 4500 milliseconds. Without a total, there will always be at least twice as much.