People say that, but I don't see how it's safe.
How do you defend against:
* attacker deposits 1 BTC
* bets it all
* wins 1 BTC
* waits for confirmation
* withdraws
* attacker deposits 1 BTC
* bets it all
* loses 1 BTC
* double-spends, effectively cancelling the deposit
* can't withdraw, but doesn't need to - the deposit never happend
In the first situation, the site is down 1 BTC.
In the second situation, the site breaks even.
Net result: site loses 1 BTC.
Waiting for 1 confirmation before you start playing isn't such a hardship, and even has the benefit of acting as a 'cooling off' period in which the player can decide if they really want to gamble.
tldr: the attacker only double spends when he loses, and in that case there's nothing *to* withdraw