I've previously covered the issues of using a CMS, and that they require a lot of work to keep up-to-date. But sometimes that isn't enough. Part of the updating of a CMS may involve disabling some plugins, and replacing them with newer ones. Especially when there's compatibility issues following the update. However, only disabling the plugin means the code is still there - you need to remove unused plugins.
It seems that not a week goes by without yet another vulnerability is found in plugins used by CMS platforms. Some of these will cede control of the site and/or server to the attackers. Others may spit out malware, ransomware, or other malicious code to the visitor.
All of these are bad news for you, and your audience.
The problem with simply disabling the plugins is that doing so leaves the code on your site. As it's disabled, you aren't likely to upgrade or update it, so it's old code. Code which may have vulnerabilities and known exploits, and which may be targeted and exploited, even when being disabled.
If your platform has customer details and they are stolen as a result of the exploit, then you could be in big trouble with the ICO, or similar organisations depending on jurisdictions. Especially with GDPR being in place.
There is a requirement within GDPR for organisations to take "appropriate technical and organisational measures". Leaving old, unused code on your site which is then exploited is likely not an appropriate technical measure, and may be seen as negligent. Why is that? Simply put, there's no real reason why unused plugins should exist on your platform, and certainly no reason why they shouldn't have been patched, even if unused. You won't have taken all reasonable measures to secure the system, and that could land you with a huge fine.
It's a fairly trivial task to remove plugins from your sites, and because they are generally designed to work in isolation they should be able to be removed without impacting others.
For the sake of security (and potentially the longevity of your business), remove unused plugins from your sites!