Our asp mvc is published automatically using octopus deploy. We use web config transformations and we always end up with additional environment specific files in the installation folder. Eg
Web.development.config Web.test.config Web.preprod.config
There is a slight advantage in having these files deployed since we can easily compare values between different environments when troubleshooting.
Is there an security risk in having different config files deployed to a production environment??
IIS should be configured to prevent the download of .config files by default, but depending on how tight your security needs are, it might be worth getting rid of them. (eg if someone comprises a test server, they do not gain access to production).
If you do want to get rid of the, you can write a PostDeploy.ps1 script to remove Web.*.config