The security risk identified by the company that did the audit was "The presence of the robots.txt does not in itself present any kind of security vulnerability, but it does disclose information about the restricted areas within the [client] corporate website. If [client] relies on robots.txt to protect the location of CMSDesk and CMSSiteManager portals from web crawlers, and does not enforce proper access control over them, then this could present a serious vulnerability.
I suppose the options are:
1. Leave it - access control is enforced so there is no risk
2. Remove the two items from robots.txt - access control keeps them safe AND protected folder locations are not disclosed.
They both seem good enough IMHO but (2) I guess is a little better practice?