How would disabling IPv6 make a server any more secure?

From a firewall perspective it is important to realize that both IPv4 and IPv6 (if enabled) are configured on a system and this is not always the case.

In my experience, I have been able to bypass (internal) firewalls. In one scenario, on a Linux machine, iptables was configured however, ip6tables was not, which exposed (vulnerable) services that were not available over IPv4.

Since most services bind to 0.0.0.0 and [::]:[port] (every interface), these services are also available over IPv6.

So, yes it is important to consider disabling IPv6 if you do not use it. If you do use it, you or administrators in general should be made aware that (at least on Linux servers) extra firewall configuration is required.

And before you start that administrators should be aware of this, you are totally correct. However, from experience there is lacking a lot of IPv6 knowledge among system administrators.

There is not specific advantage in disabling IPv6. In particular, IPv6 is not more vulnerable than IPv4, rather I'd say that it is more secure (e.g.: IPv6 suggests to support IPSec).

The point is that while hardening your operating system the general philosophy recommends removing all unused services/tools. This allows a better control on your O.S., improve performance (in a generic way), and reduce the probability that attackers can exploit possible software bugs or misconfigurations and gain (partial) control/access of/to the system. Thus, removing an unused IPv6 is just a generically recommended action to finalize the hardening.

The advice is well-meaning but dated.

IPv6 is specifically designed to be very easy to set up and administer, much easier than IPv4. It has many features meant to cause hosts and entire networks to be autoconfigured or easily centrally configured. In many cases it's possible for entire networks to suddenly gain IPv6 connectivity to the Internet as soon as it's brought to the network edge, which may surprise some people.

This advice was historically meant to protect administrators both from themselves - as they may not be familiar with IPv6 features - and from malicious actors - as when they finally do gain IPv6 connectivity to the Internet, devices will attempt to autoconfigure and sometimes succeed. Further, certain versions of Windows attempt to establish IPv6 tunnels to the Internet out of the box, again surprising some users and administrators. (As an aside, disabling these tunnels is almost always a good idea unless they're specifically desired.)

And as others have mentioned, some ancient firewalls from 5-10 years ago or more did not properly configure themselves to firewall IPv6 in addition to IPv4. This is not as big of an issue today, as such ancient devices become more rare with each passing day.

These days, most people actually are using IPv6 even if they don't have global IPv6 connectivity. Windows 8 and later use IPv6 extensively on home networks, and some Windows features absolutely require IPv6.

From the standpoint of balancing functionality with security, it would be better to advise people to ensure that IPv6 is firewalled correspondingly to IPv4, even if they do not have global IPv6 connectivity. This would preserve IPv6 functionality that already exists while protecting the users when they finally do gain global IPv6 connectivity.