Lets keep with the analogy, as wrong as it is. If you discover a serious bug, you usually disclose it privately, allowing the maintainers to patch the problem before disclosing. When the embargo is over, the bug is already harmless. Why we do that? Isn't that security through obscurity? Why we consider unethical to just disclose serious zero day bugs that might even get someone killed, or thousand of script kiddies that would never discover the bug on their own can profit from it easily?

Security through obscurity actually works in real life. There are lots of people that hide all their lives in a humble way, only to get discovered as millionaires after they die. Because you don't have hundred, thousands of bots looking for "vulnerabilities" on everyone's life at almost zero cost and big potential profit.