Trust is key but bottom line is xp_cmdshell is a security threat, by definition and in practice. The fewer exposures there are, the better off the environment is.
Powering up your server could be considered a "security threat" if you can only view this sort of thing in binary terms. I believe I've seen posts suggesting that functions like xp_cmdshell simply be removed from the product, but I'd much rather people just understand the darn functionality, and not ask that parts of Microsoft products just start gettting hacked off until every conceivable danger is eliminated.