And I'll encourage anyone and everyone to turn it on and leave it on because having it on isn't a security problem. Only those that can use it can turn it on ("SA" or "Control Server"). It's like the mice guarding the cheese. Only the honest mice will stay away. Having it turned off lulls people into a false sense of security thinking that any attacker, internal or external, can't turn it on and use it. Besides, even if it were off, an attacker can get to the command line with elevated privs using either CmdExec or OPENROWSET.
The key to security is to limit what the SQL Service and SQL Agent service logins can do. Turning off xp_CmdShell does nothing to keep anyone with "SA" privs (including an attacker) from turning it on. You MUST prevent that and you MUST limit what the services' privs are. Turning off xp_CmdShell doesn't even provide a layer of security.
--Jeff Moden
Change is inevitable... Change for the better is not.