I don't even know if it was security consultants who ever recommended that. It's the same thing with disabling pasting into password fields. A lot of websites used to do that, many probably still do, but I have never seen a security team, no matter how braindead, recommend that nonsense. Rather, it's well-intentioned but stupid project managers following industry worst practices. You can't get in trouble for doing what everybody else is doing, no matter how terrible, I guess.
If you're on *nix, I've found that middle-click will usually work even if "CTRL-V" or right-click->paste is disabled. Something about the handling of Primary Selection vs. Clipboard in X11.
Ditto for credit card number entries. I use Dashlane to copy my CC info out of, and if that doesn't work, there is a good chance I'm not buying on your site. Maddening and pointless.
I agree this is probably product managers, but may also be engineers who have strongly held "security" opinions and nobody to check them.
This really used to be an issue when some JavaScript code constantly checked for new data in those inputs in hopes to find something interesting, like some personal info which shouldn't be there.
But I fully agree with the disable-paste stuff. Very few (web-related) things get as annoying as that.
