If you have FTP access to your server, the most secure setup is not having your themes or plugins directory writable by your webserver and instead having WordPress update files using FTP. When you go to update a plugin, WordPress will prompt you for your FTP details.
The FTP method is a lot slower than direct file writes, but it is a lot more secure as a rogue script won’t be able to modify your files.