- Provide secure control of where network broadcasts and traffic goes. You can't add devices to the network that can spy on traffic, because the new device is by default only member of a crappy low-service VLAN, and needs to be added to specific VLANs to see specific traffic. It's not that the traffic is unreadable, but that it isn't even sent to the new devices by the routers/switches in the first place.
- Provide segmentation of broadcast domains. Broadcasts are strictly limited to correct VLANs, which potentially frees up a lot of bandwidth (I would guess 20/30%) that was otherwise merely being ignored by most machines anyway. If you want broadcasts from a particular VLAN, you have to be a member of that VLAN.
Their biggest disadvantage appears to be that switches and extra complexity adds to latency, and that routers/switches have to configure ports to let VLAN traffic through - meaning some extra administration to do, and, of course, more things to go wrong. But when done in an organized way, VLANs are dead useful and efficient.