That fact remains that you still have an unreasonable fear of it. Unless you've made the mistake of enabling a non-SA-prived individual to use it, only SA's can use if. If you have it turned off and you're apps have SA privs, the first thing an attacker will do is turn it on. It won't even slow the attacker down because he'll be expecting it.

BWAA-HAAA!!!! And there's nothing wrong with summarizing the security of SQL Server in 40 words or less. Many people apparently don't understand the basic idea of "only DBAs get SA". Perhaps the additional 11 words of "Don't forget to turn off the guest and builtin admin accounts" would help?

xp_CmdShell is useless in the hands of an attacker because, in a properly locked down system, he can't get his hands on it. You need to concentrate on properly locking down your system because that's the real problem.