I've found that most of the security concerns about xp_CmdShell are mostly based on emotion rather than anything practical. Turning it off provides no real layer of security and only hinders those that need to use it. The ONLY security concern I have about is those that allow non-SA users to use it directly. It can and should be all done through stored procedures.