I would guess that it's a bit of "security through obscurity". Perhaps they are trying to protect against someone attacking their FTP server at random, managing to brute-force a username and password, and then trawling through the files to see if there is anything interesting (there are lots of bots out there that behave this way). Removing the 'ls' command would prevent the attacker from finding any files on the server. However, if the attack is specifically targeted toward that server, this particular counter-measure would be less effective, as the attacker would likely have more knowledge of what they are trying to get from that server. Someone there thought that the security-vs-convenience tradeoff in this case was worth it - obviously, that's not a universally-held opinion. :-)
Hopefully that isn't the only security measure that they are relying on, though - if it were me, I'd implement things like denyhosts (to detect and block IP addresses after a number of unsuccessful login attempts) and a half-decent password policy (minimum length, non-dictionary word, etc.) to counteract the brute-force attack. Just my 2 cents, of course... and I also am not a "security expert", but I do play one on TV.