$\begingroup$

The curves secp256r1 and secp256k1 have comparable security.

If we consider only the best known attacks today, they have very close security. Both curves are defined over prime fields and have no known weakness, therefore the best attack that applies is Pollard's Rho. Its complexity is: $\sqrt{\frac{{\pi}n}{2m}}$ where $n$ is the order of the curve (if it's prime, such as in our cases) and $m$ is the order of the automorphism (see this paper for the details of the following).

Now, all elliptic curves have an automorphism of order 2, this is provided by the point inversion map, i.e., the fact that for $P=(x,y); -P=(x,-y)$.

secp256k1 have an additional automorphism because it belongs to a special class of elliptic curves, sometimes referred to as Koblitz (although this has lead to some confusion, and some people have mistakenly called it a binary curve), which have an additional automorphism. This allows to map the the point $P=(x,y)$ to either $\lambda P=(\beta x,y)$ or $\lambda^2 P=(\beta^2 x,y)$ where $\beta = \sqrt[3]{1} \pmod{p},\lambda = \sqrt[3]{1} \pmod{n}$. This can be combined with the inversion map and achieve order 6. Given the two numerical values for the orders, using base 2 logs we obtain:

Security secp256r1 = $\log_2\sqrt{\frac{{\pi}n_{secp256r1}}{4}}=127.83$

Security secp256k1 = $\log_2\sqrt{\frac{{\pi}n_{secp256k1}}{12}}=127.03$

Which are comparable.

Then, considering rigidity, secp256k1 is more rigid than secp256r1. So it is theoretically possible that secp256r1 was chosen to belong to a secret class of elliptic curves that are not as secure as we think.

Then, considering special class of elliptic curves, secp256k1 belongs to a special class, because its parameters were not randomly chosen, while those of secp256r1 looks random (but we can't be sure due to secp256r1 rigidity issue). Thus it is theoretically possible that secp256k1's class will be found not as secure as we currently think. But this class is well known, and so far the only issue is that additional negation map, which, by the way allows for faster scalar multiplication computation than, e.g., secp256r1.

It is difficult to judge how the rigidity and special class considerations affects the overall security of the curves. On one hand the NSA generated secp256r1 using a process that people don't fully trust, on the other hand secp256k1 has been chosen to belong to a special class of elliptic curves.

In my personal opinion these two facts cancel each other. Therefore, in this case, I chose to stick to the current best known attack as measure of security and conclude that they have comparable security.