We do not use xp_cmdshell because of the bad rep. The only time we used it was when we were migrating to the new server. At that time it was enabled using sp_configure and then disabled.

I have read lot of articles saying how xp_cmdshell can be used to hack your DB server.