CAS is the approach of using permissions and permission sets for a given code to run. Example, Admin can disable running executables off the Internet or restrict access to corporate database to only few applications.

Role security most of the time involves the code running with the privileges of the current user. This way the code cannot supposedly do more harm than mess up a single user account.

Neither is better.  It depends on the nature of the application; both code-based and role-based security could be implemented to an extent.