I looked at what it would take to remove the Spring Framework from Jenkins core. Core does not directly use anything from Spring except a trivial type DataAccessException which could easily be stubbed out, and some stuff related to parsing SecurityFilters.groovy which could be thrown out and rewritten using plain old Java calls. The main problem is acegi-security (the predecessor to Spring Security IIUC) which is used heavily and which appears to have hard dependencies on various core parts of Spring. The spring-web dep is optional, though.
Various plugins import Spring Core classes, but again that is a hard dep of ACEGI Security anyway. BeanBuilder is used by some security realm plugins, but that would still be compatible if this stuff were simply split to a plugin. (I had hoped ldap PR 17 would delete LDAPBindSecurityRealm.groovy but no such luck.)
Not proposing to do
JENKINS-5303, which would be an update and would be of ACEGI Security which is heavily used. Would just be a regular plugin split, helpful also for JENKINS-29068. Would be desirable to also do JENKINS-28942 so that we could really get rid of spring-web and spring-webmvc, at least if ldap and active-directory deleted their old BeanBuilder calls.