You know what's the difference between XML-RPC and SSH with regard to payload encryption and client authentication? Only the fact that SSH has the two covered by mandatory parts of the protocol, and XML-RPC has this part optional (HTTPs and either HTTP authentication or client certificates). Nothing prevents you from exposing procedures only through HTTPs and only to authenticated clients. In fact, my xmlrpcd works exactly this way.

Security-wise, your advice to use something that makes building correct system virtually impossible (because quoting issues, unnecessary features enabled by default, and others) is simply stupid and dangerous.