In a scenario where the project's settings.py file is split into base, development, and production, and only the base file is tracked in VCS. Is it a problem if the SECRET_KEY is hard-coded in the production settings file. Or will having it in an environment variable a better choice? If so, why?
Is having it pulled from the system somehow more secure than written in plain text inside the file?
I would say the security for both methods are the same. Written down in a file (which is not committed to the source code repository) or as a environment variable would have the same effect.
If your system is compromised in a way someone got access the server, both methods would expose your security key. So, it wouldn't make much difference.
Now, I would say using environment variable is a better strategy. Not related to security though. But usually it is not a good idea to rely on uncommitted files to run a project. It's one of the causes of the famous in my machine it works problems. And it also make initial setup of a project difficult for newcomers.
For this kind of settings and configuration management, there is a great python library called Python Decouple. It's worth checking it out. I use it in every Django project I work with.