I will lay my cards on the table: I am in agreement with Jeff Moden.

On a properly secured server, disabling xp_cmdshell provides so little security gain (as it can be re-enabled) that it is dangerous for people to keep saying "disable xp_cmdshell for security".

I have just re-read this topic : If you could use xp_CmdShell securely, would...

It contains pretty much the same content as any other discussion on this subject, namely people just saying "I disable it for security".

There seems to be a lack of evidence to prove the point that disabling xp_cmdshell would improve security, but lots of phrases such as "layering is important" as a general justification.

I believe that no-one said that "disabling xp_cmdshell" is a bad idea, but saying "disable xp_cmdshell for security" does seem to be a bad idea,

just because it can lead to a false sense of having made the system secure, when it has made very little difference.

So, IMHO, go ahead, disable it if it makes you happy, but don't think it has had a magic effect on the security of your system.

If anyone does have any evidence of disabling xp_cmdshell having stopped a sysadmin from doing bad things, it would be interesting reading (just so I can laugh at how puny the sysadmin's skills were 😛 )