If someone gets read access to the database, they could brute-force the password of a backend user that has still a sha1 password hash. With the password they could then overtake the server.
Removing support shouldn’t be a problem as it only affects users that didn’t log in for a very long time.
We should remove support for sha1 passwords in https://github.com/contao/core/blob/4539b50fd849dda41c58cdf0da2230dffd909c94/system/modules/core/library/Contao/User.php#L383-L388
If someone gets read access to the database, they could brute-force the password of a backend user that has still a sha1 password hash. With the password they could then overtake the server.
Removing support shouldn’t be a problem as it only affects users that didn’t log in for a very long time.