Can a form with a disabled <input type="submit"> be hacked to submit anyway?

Yes, I don't even need your form to submit it. I can use cURL or a similar library to just send a POST request as if it came from a form.

Always validate everything server-side, you don't always get what you expect.

Anyone skilled enough with the 'Element Inspector' of most modern browsers can add/edit/remove any attribute and their values.

Using this method I can remove the disabled attribute and then just click the submit button

That and you can run javascript through the console or the address bar/bookmark like this

javascript:document.getElementsByTagName("form")[0].submit();void(0);

Forms can also be submitted using server-side libraries like cURL