I regularly see production code from developers (large companies and individuals) that contains code that has been commented out. Presumably this removes earlier attempts at achieving the functionality that didn't work for some reason.
To my mind, this is messy, but potentially has some benefits e.g. on returning to refactor or extend the code, the developer can see what has been tried previously.
Are there any security or best-practice aspects to this?
Best practice is to use SCM. If you think the old code is really something people will want to refer to in the future, leave a comment of "// We used to do it another way, which had interesting property X -- see revision 103" rather than leaving whole chunks of code that don't do anything.
Commenting out code has its place, but that place is quickie tests that aren't even worth the time to do a branch.
If the code is worth keeping, it's worth more than being lost in a comment somewhere. If it is not worth keeping, kill it with fire.
Best practice is that your code shows only the current. You should be using an SCM that deals with code history.
Code should be stored in source control.
Comments should be reserved to explain difficult to understand code or the reason for doing something out of the ordinary.