There is no security risk in a pluggable function: If someone installs a plugin that lowers the security it is his/her own fault. On the other hand, you can override the functions to make nonces more unique or to change their format.
In a custom function wp_verify_nonce() you could use an optional third parameter or change the time a nonce expires.
Nowadays pluggable functions aren’t introduced anymore. They are hard to debug, and you can do the same with filters usually. And then there’s as well the problem that you can’t ever be sure that no other plugin will redefine the pluggable function (again) after you redefined it.