The <any/> element: bane of security or savior of versioning?

["Costello, Roger L." <costello@mitre.org>]

Hi Folks,
 
In the repertoire of XML Schemas is the <any/> element.  The <any/>
element is used in an XML Schema to instruct an XML instance document
author: "At this point in your document you can have any element or any
string you desire."
 
From a security perspective the <any/> element represents a high risk
and should be avoided if possible.  In environments where schema
validation is used in a guarding capacity, a schema that uses the
<any/> element is likely to be marked as high risk or even forbidden
from use.
 
The solution seems clear: don't use the <any/> element.

But the situation isn't so simple....
 
Versioning XML Schemas is important.  As requirements change the schema
must change, and you would like for the schema versions to be backward
and forward compatible.  That is, you would like for an application
written to an old version of the schema to be able to process XML
instance documents written to a new version of the schema and vice
versa.
 
As we discussed on this list a couple months ago, the only way you can
achieve backward and forward compatibility in XML Schemas is through
the use of the <any/> element [1].
 
Thus you are left with two choices:
 
1. Be secure and don't use the <any/> element.  Forego backward and
forward compatibility.
 
2. Use the <any/> element to achieve backward and forward
compatibility.  Forego security.
 
This is a serious problem for my clients.
 
There must be alternatives.  

Any suggestions?
 
/Roger
 
[1] http://www.xfront.com/backward-forward-compatibility/