I disagree, obscurity wastes attacker resources and easily fools a lot of simple vulnerability scanners.

Obscurity is totally underrated. Attacker resources are limited.

You would think but in my experience, if you ask to just open something up they'll start talking about "defense in depth" and it suddenly matters a lot.

Security through obscurity is bad only if the obscurity is the only measure

You can consider obscurity as concealment. You can't be attacked if you are not seen. And to be seen attacker needs much more resources to see you.

It's not something to over-index on, but it's not a strong protection measure. It simply raises the overall cost to attack and analyze a system.

Take the PS5 for example. It has execute-only memory. Even if you find a bug, how do you exploit it if you can't read the executable text of your ROP/JOP target?

Security through obscurity is an excellent first-line defense, as long as you have other real defenses at the next layer.

Security through obscurity is like a bike lock. It can be cracked with the right tools and effort, but massively improves security compared to leaving it out unlocked.

It’s not about security, it’s about wasting a crackers time.

Some people find cracking them interesting and fun.

ASLR (for example) is a pretty standard technique, I thought all commercial OSes enabled this generally. What's the purpose of picking at this portion?