I think xp_cmdshell can be used securely if you take the trouble to set it up correctly.

The one thing that I don't like is that you basically have two levels of privilege, users with sysadmin that run xp_cmdshell under the context of the service account, and non-sysadmin users who run in the context of the proxy account (or nor at all if there is no proxy account).

It would be better if you could have multiple proxy accounts, and had the ability to assign proxy accounts at the level of login, database, database user, or stored procedure. Then it would be far easier to allow the use of xp_cmdshell with the proper level of security and no more than what is needed.