Why did the 2013 hack stop avatars being removed?
From when it happened:
It was initially suspected by many that the attack was done by exploiting a flaw in SMF which allows you to upload any file to the user avatars directory, and then using a misconfiguration in nginx to execute this file as a PHP script. However, this attack method seems impossible if PHP's security.limit_extensions is set.
It was disabled while they were still investigating the hack and then just never turned back on. Removing avatars is done from the same page as adding one:
To remove your avatar, submit this form without choosing any file to upload.
If you are not a Full Member or above you can't get to that page. I think it is just how SMF works rather than deliberate. ie the permission setting to add or remove an avatar is the same thing so you can't grant permission to one without the other.