I've noticed several times already that people configure RouterOS firewall in stateless fashion on production. Is there any actual reason not to use conntrack/fasttrack in more security critical installations? Because I have opportunity to "fix" terribly illegible and messed up mtk config backing monitoring system. It's using stateless firewall so I'd like to reconfigure it to statefull approach, maybe even fasttrack enabled, but I'm not sure if there are any security implications of such change.

Connection tracking takes up a lot of resources.

On core routers it's counter productive to use CT as it will slow things down considerably on high traffic (and especially during DDoS attacks).

Nowadays with RAW filters you can still use CT for input/output chain (to protect the router) but bypass CT for forwarded traffic using IP > Firewall > RAW.

In redundant setups, statefulness might not be wanted since state tables are not replicated.
Also, performance.

What do you mean by "pereformance hit" - memory, cpu or both? Also how serious it is? Device used here is RB951 so quite weak device considering it's handling monitoring traffic and parking lot hotspot I'd need to perform some tests to give more detailed info but roughly what's the performance impact - 10, 50, 200, 1000%? Also - it's supposed to be using IPSec VPN now - doesn't VPN require conntrack anyways?

If you are considering IPsec, I suggest to switch to a device that does hardware level encryption, since this will bring your device to it's knees first, not the firewall.