In all the logs I've ever looked at... and trust me I have sometimes a many 10s of GB per month.
Not once have I seen a single request for anything except "favicon.ico"
Back in the early days, when favicon wasn't standardized... sure.
Its not something you need to worry about.
I could go all the way back to 2000 for the place I work and grab all the logs and grep through them for something like "favicon.*" and exclude all "favicon.ico" (case insensitive)... bet you I'd find the user agent to be scrubbers or not friendly robots.
You see, if there is support for these OLD formats, that makes the VHOST/machine more intriguing and therefore will be hammered on for OLD OLD OLD exploits (to perchance come across an old PHP app or old CGI script) and just drive up your bandwidth.
Its just NOT something I'd even support and have argued with SEO twinks about it for days on end. Google doesn;t require anything except a valid favicon.ico... and does *NOT* mark you off for it.
Its just like some SEOs thinking "#" at the end of the URL is a bad thing. No... its ignored anyway, its just a frickin' place holder.
Just because someone says you *HAVE* to support it, doesn't mean you should.
Its truly not something you want to even begin to support.
I've checked my Web Application Firewalls... and wouldn't you know it...
Surprisingly, there are optional rules to tell it to ignore requests for favicon.(NON-ico) and to not even reply to the request.
We don't have the optional rules enabled since they also block using "+" as a separator for certain things in our CMS.
Its really not worth it.