Trust is key but bottom line is xp_cmdshell is a security threat, by definition and in practice. The fewer exposures there are, the better off the environment is.
You don't necessarily have to set tcp / udp ports up to be publically accessible, for that matter if you care about your internet'in, you could have a box set...