Use of the plaintext password encoder introduces a security risk in the case of system compromise – one of the hashed, salted schemes (such as the default ATLASSIAN-SECURITY) should be used in any production environment.

However, although it's not the default, having it present as an option creates the risk that it will be used: it would be safer to remove it entirely.