No, it isn't bad practice not to have any records, but there is a big difference between an empty hosted zone and not having a hosted zone configured at all in Route 53 but pretending that you do, by assigning Route 53 nameservers to a domain without a matching hosted zone in Route 53.
Route 53 has 2,048 nameservers. (Technically more than that, due to anycast, but there are 2048 unique nameserver names associated with Route 53.) Each time you create a hosted zone, it is assigned to 4 of these servers, which must be configured with your registrar so that queries are delivered to the correct 4 servers -- the other 2,044 Route 53 servers will reject queries for your domain, if they arrive, but they won't unless you misconfigure the authoritative servers with your registrar.
If you delete that hosted zone and leave the registrar pointing to those 4 servers, then your domain can theoretically be hijacked. Someone would only need to create, delete, create, delete... a hosted zone for your domain not more than 512 (2048 รท 4) times in Route 53 before they would end up with a hosted zone on at least one of your originally-assigned nameservers -- which you abandoned.
If you do not delete the hosted zone, this is impossible, because the nameservers will not be assigned to a new hosted zone for the same domain if you still have yours.
This is not a security vulnerability in Route 53. It's a malicious user taking advantage of a misconfiguration created by the domain owner, pointing their authoritative nameserver settings to machines that aren't in fact authoritative. It wouldn't work very reliably, but it would definitely be bad practice to set yourself up for such a scenario. A malicious user could easily identify a domain with such a misconfiguration because Route 53 will actively refuse to handle DNS queries it receives for unexpected domains, returning a reply message to that effect, rather than returning an error like NXDOMAIN
as it would for a valid configuration without any actual records in the hosted zone.