Their reply sounds good to me, too. Generally, I'd have more confidence in the commercial PHP scripts than the free ones.
I don't know for sure that this is the same product, but the name is correct and this security report looks good: http://secunia.com/advisories/product/10399/?task=advisories
it doesn't use critical PHP features
What they probably meant by this is that it doesn't use functions like system() or passthru() and some others, so that you could disable those in your php.ini for security and their script would still work.
The form may be used for sending spam, but this doesn't compromise the security of the website files
That's also correct. Most forms can be used to send spam unless you add some sort of CAPTCHA (their FAQ says they have a CAPTCHA extension available).
It is desirable for your email address to be hard-coded in the script (NOT sent as a form field), so that the only person spam can be sent to is you, which is a lot better than if it can be sent to other recipients. Their FAQ shows you how to hard-code your email address in the script. I'd strongly recommend doing that. It is not a good idea to have the recipient email address (i.e. yours) sent as a form field (visible or hidden) because it allows robots to set it to different addresses and send spam to them.
I would recommend that you NOT enable the CC to client feature, because that can be misused to send spam to other people rather than your visitor. That is, they can put any email address in the form (to receive the CC), not necessarily their own.
Just because a form can be misused to send spam doesn't mean that it puts your website files at risk. Misusing a form to send spam is a different thing from "hacking the site".
Pay close attention to their FAQ. The indications are that it seems to be a good script, but you need to be careful configuring it because some of the options could let spammers abuse the form to send a lot of spam.