It is not “security risk” per se, as an admin can just go and add whatever stupid PHP code it likes via FTP which usually can do much more damage than some JS. If an admin does stupid things then there is nothing you should do about it as after all it is his site.
Maybe worth mentioning what is the security risk with inserting random JS. Basically if you can insert JS to a page (via comments in this case), your JS can read the authentication related cookies and send them to you. Now all that is left is to “trick” the admin to get to that page and you get the cookies and therefor can access the site as admin.
OK, so not a security risk, but does sound ugly, can’t we just filter out <script> for everyone? The problem is that you might want to do something less trivial as embedding a youtube video for which the sharing code might require loading some script (probably bad example if how YT works today).
The core sin with the comment form is that random users can even attempt submitting anything that contains HTML, which is not only a potential security risk, but also a bad UX for 99% of users (even the technically adapt). In an ideal world potentially non secure things would be available only from the admin side, but this particular ship had sailed ages ago.