Are keys or RFID tags more secure access control solutions?

Conceptual view: there is authentication, and there is authorization; these are distinct activities. Authentication is about making sure of who you are talking to; authorization is about deciding what some individual is allowed to do. You actually want to keep them separate.

RFID tags implement authentication: through the electronic conversation between the tag and the reader, the reader ascertains the identity of the tag, so (presumably) the identity of the tag holder. Authorization is performed by the reader, that can be linked with some central authorization server. On the other hand, with a key, authentication and authorization are conflated in the same device: having the key in hand automatically grants access.

The need for separation of authentication and authorization is made most visible when you want to revoke an access. With RFID tags, that's easy: simply flip some flag in the authorization server database. With keys, you cannot do that: to revoke an access, you must either recover the key itself (and you cannot do that if the reason for revocation was that the key has been lost or stolen), or change the lock (and that's expensive, not only for the lock itself, but because you must distribute a new set of keys to the other users). In a similar vein, with RFID tags you can enforce time-based access control (access granted only at some times in the day), and you cannot do that with keys.

Another good property of RFID tags is selective cloning. When a new employee must be granted access, issuing a new tag for him is easy for the system administrator; but users themselves will find it hard to clone their tag (good tags are like smart cards: they are tamper resistant). This means that authorization management remains in the hands of the sysadmins. With keys, either keys cannot be duplicated, in which case granting access to new users is hard, or keys can be duplicated, in which case preventing rogue cloning by existing users is hard.

Summary: RFID tags are superior to keys because they allow for fine-grained access control with immediate revocation, and centralized authorization and administration.

The most salient point which would make keys preferable over RFID tags, in some specific contexts. is that keys don't need to be powered. A padlock which has been locked, remains locked even after an extended power outage. However, in most cases, RFID tags are better.

In favor of the mechanical locks is that they are cheap and simple (and so less likely to break down).

(Even if you do deploy a fancy RFID system I bet you have a mechanical lock put in as well, because it costs next to nothing and gives you a fall-back in case the Access Control fails.)

However, in most high security environment you are likely to want some sort of electronic access control, not just for the logging, but so you can cancel access remotely. e.g. if Fred loses his RFID tag, or if Barney leaves the company, one change to the database and all three tags stop working.

(Three wasn't a typo: I was including the clone Betty made of Barney's tag that neither of you knew about. That Betty!)

As with all things security, it depends on the results of your risk analysis. I recently went with a mechanical-only lock on a new door to a secure area because when I ran the analysis, it simply wasn't worth the money.

TL;DR: Physical locks are simpler and therefore less prone to failure. Proximity cards (e.g. RFID) are superior in every other way.

Picking a lock
is a side-channel attack that grants access to an individual who does not need to have ever encountered a valid access token (in this case, a key). It's quick, highly effective, and leaves no audit logs (other than perhaps scratches). Nearly all locks are vulnerable to picking to some degree.
Picking an RFID station
would be a similar side-channel attack against the station hardware itself or against the underlying protocol. No such generalized attack exists, but specialized attacks against specific hardware may be possible.

Cloning a physical key
requires only a photograph of the key and the appropriate key-cutting hardware. Commercially produced hardware for doing this is available at minimal cost, or you can do it manually using a file and a decent ruler. The distance at which you can clone a key is unlimited for practical purposes, and requires only line-of-sight. Whether or not sufficient resolution exists to do this from space is not publicly disclosed, but it may be a possibility. A cloned key can be made indistinguishable from an original. In some cases it's also possible to use the physical properties of the lock to create a working key (without ever seeing another "real" key). Every key can be cloned. Without exception.
Cloning an RFID token
requires a device to read and reproduce the RFID signal, such as the Proxmark3. This is a specialized device which is readily available but not widely possessed. Higher-security challenge-response tokens cannot be cloned by reading their signal. Full stop.

Revoking access for a physical key
involves re-keying all the locks so that the revoked key no longer works. Simply returning the key is insufficient, as keys are trivial to clone... even if they say "do not duplicate".
Revoking access for an RFID key
involves telling the system to stop trusting the revoked key. No further work necessary.