While it is a nice easy way I wouldn't use it in a customer facing application setup due to the identified security risk.

All it needs is cracking the security context to allow access to xp_cmdshell.

As a DBA using xp_cmdshell for internal purposes is a different matter. It really is a very fast way to get file and directory information and the nice thing is that this information can be loaded into a table variable.