Well, your sysadmin may not realize it, but chances are the .NET Framework is already installed on the server hosting SQL Server. The Framework is pre-installed on all newer versions of Windows, and is required for the SQL Server installer to function since at least SQL Server 2008 (and maybe SQL Server 2005). I have heard rumors that once SQL Server is installed you can uninstall the .NET Framework, however that may lead to unintended consequences and I am not sure that is a supported configuration.

As for security concerns, having the .NET Framework installed on a server is not typically considered a security threat in and of itself but anything you have installed on a server increases the attackable surface area that you need to protect against so your sysadmin is right to consider all possibilities.

It's also possible your sysadmin may have been referring to the SQLCLR, and not necessarily the .NET Framework itself. While the .NET Framework is installed on the operating system, SQLCLR is an option that must be enabled within the database engine that leverages the .NET Framework. The SQLCLR feature is disabled by default within SQL Server and while it is not typically considered a security threat in and of itself, as I said, anything that is enabled (or installed) is worth investigating as a potential security threat to ensure your systems are properly secured.