The Security Risk of Expired Domains has published an excellent blog post on the risks of letting your domain name expire:

We have witnessed this phenomena ourselves at Stargate Connections. In one key instance, a customer shuttered a website they no longer wanted to maintain. Shortly thereafter, their domain name was purchased by a new party who promptly harvested a copy of the original website from the Internet Archive, without permission, and re-post it at the newly-acquired domain.

Unsuspecting visitors to this site would have mistaken this for the same site, yet it had been modified in subtle ways for unknown intent. It's possible those intents were simply benign attempts to generate ad revenue, but they could just as easily been used for malicious purposes.

It is our general recommendation that customers should retain custody of their existing domain names for as long as possible. Even if you decide to change the primary domain of your website, plan on keeping the original one and have us redirect it to the new one. If you decide to shutter the site, ask us what arrangements can be made to host a simple message at the domain stating the website is closed.