The save_post hook is called every time someone calls the function wp_insert_post(). Plugins do that, unfortunately some themes too, and WordPress itself on several places when …
- someone uses post per email or XML RPC
- an auto-draft is created
- the Quick Draft feature on the dashboard is used
- a navigation menu item is added
- a revision is created
You really don’t want to handle all those action without your own verification.
Besides that, nonces should guarantee that an action cannot be repeated by someone who listens to another person’s network traffic. In theory, nonces prevent that. The default WordPress nonces are not very secure in that regard, because they can be reused. But your users might have installed a plugin that creates real nonces. Do you really want to bypass their extra security measures? Probably not.