Is there a security advantage or risk in removing disabled user accounts?
In general, it is always best to reduce your attack surface. No system is ever perfect and your deactivation protocol will be no exception due to both programmatic and potential human error.
Risk 1: Let's say all your terminated employees accounts have been properly de-activated, for example via altering their role in the employee table in the database (or however they are stored). In this hypothetical scenario your administrator account has been compromised. A smart attacker may use the administrator account to re-enable a past terminated employee's account and use that account to conduct malicious activity on the system. By doing so, they are less likely to be discovered by intrusion detection systems (i.e. admin always logged in from Texas, USA but all of a sudden admin is in Brazil?). This could increase the attack surface and potentially give the attacker more power. Never a good thing.
Risk 2: Human error exists. What if one day you accidentally de-activate a still valid employees account and type Alex instead of Alexander when you wish to re-activate and now re-activated a terminated employees account? Or maybe you did not even mean to re-activate an account but one day when your computer was frozen and you were angrily spamming your mouse clicking at anything for a response, you clicked the reactivate flag?
Both cases are unlikely but why take the risk?
Unless your system has the need for a sophisticated audit trail that relies on still existent accounts in the system to work (i.e. does more than just print name of user and action to log but rather still actively accesses users info), there is no good reason to leave this bloat data in your system.
I always check after I leave a company (while working as a co-op in the past I frequently spent spurts of time at various companies) if I can still login to my accounts and more often than not, one way or another, I could.
Always err on the side of cyber-safety.
First of all, I don't like to use the term "address a risk" because there are more accurate words than "address". I know it's a commonly used term in risk management but I feel it is likely to be misunderstood so I would rather avoid it.
Anyway, there is no security risk that removing a disabled account addresses. However, I believe you are asking the wrong question.
It depends on what you mean by "a disabled account".
A disabled account could be as simple as a row in a database with 2 columns, a primary key userid which is an integer, and an enum isdisabled which is set to "TRUE". Does deleting this disabled account address a risk? I don't think it does.
But on the other end of the spectrum the disabled account could contain credit card numbers, unencrypted passwords, photo of driver license, social security number, etc, along with isdisabled set to "TRUE".
What exactly is a "disabled account" in your scenario?
In general, I would recommend to never delete disabled accounts, and rather consider removing sensitive information at the point of "disabling" the account. So if a user disables and then reactivates their account, they will need to add card numbers again, re-verify their phone number, etc etc. So basically setting all flags to their default positions and keeping only non-sensitive information.
Keeping disabled accounts has value. You have a hard record of how many users have ever signed up, and you may consider to keep some of their information for various purposes. If a user signs up, verifies their phone number, then becomes blacklisted/banned by your system, then deactivates their account (and your "disabling" system either removes their phone number or removes their whole row including phone number), then they can sign up again with another email address and re-activate their phone number and potentially get around the blacklist (if your blacklist is a column isbanned).
So definitely keep your disabled accounts, just make sure to consider removing sensitive information from them, especially the kind of information users would expect you to delete that you can't possibly use for good purposes.
The first question is: how reliable is your deactivation procedure? (if the answer is "100%", I'd suggest you're most likely not being honest with yourself.) Removing unused accounts helps ensure that terminated employees, even if their account misses deactivation, still are removed from the system in question. And ensuring that former employees do not continue to have access is a good security practice.
In theory a locked account shouldn't present much risk. If someone reactivates a disabled account, they're already in your network with admin credentials. But it would still be a good thing to not give them additional room to play in. Let's assume that this breach happened. You'd then need to go through all your terminated employees and ensure that their accounts have all been deactivated to ensure that the bad guys don't just come back in through the back door they've activated/created. Additionally, paring down disabled accounts reduces the potential attack surface.
In a validated environment, those accounts need to be kept around for documentation and audit purposes. There it makes sense to move them into a "disabled" OU and run a check against them nightly to ensure that they don't somehow get reactivated.
TL/DR: unless there's a good reason to keep these accounts around, it makes more sense to remove them.