One could argue that a cross site scripting attack could use someone else's browser to paste to the site. So disabling paste disables one (small) vector for an attacker to use someone else's computer to attack.
Deleted my comment but I just realized why we did this -
The product I was working on was to be used on a shared public browser / kiosk. The reason was to prevent one user from pasting in the previous user's password.
Never trust the client['s computer]. Disabling pasting is trusting the client's computer. Security in depth ends where the Internet starts.