Ok, before i begin i want to tell u that i'm really not the aggressive type but this crossdomains.xml is really taking me out of my element...
What kind of wicked mind figured out to use the crossdomains.xml? other than tightly coupling every backend to flex, it is also not really understable where the hell ur supposed to put this file. Isn't it the backend's responsibility to handle security by itself?
Practically everyone i know using flex is basically forced to open some sort of server on his local host and use it as proxy to get their flex application to talk to remote services.. does it actually seem reasonable to anyone? will adobe PLEASE remove this very unneeded and frustrating constraint?
The crossdomain security policy stuff is annoying, but it's there to prevent this sort of scenario:
Joe Blackhat writes a flash game about Bob the Goldfish. Joe Blackhat decides that a fun thing to do might be to write an SMTP client in ActionScript so that fans of Bob the Goldfish could unknowingly send spam while they play. Bob the Goldfish game goes viral. Everyone is playing it and spam volume bajillion-duples. Spam kills the internet. The End.