Security by obscurity does not work, because people are only so creative up to a point. Hence, there are only handful of configurations for the attacker to try out.
This contrasts to e.g. 128-bit secure encryption, which involves trying 2^128 times to break it - which is a number with whopping 38 zeros. It takes 10^22 years to break it with trying at 1GHz rate. It is simply incomparable, and adding a few bits of security by obscure combination is simply not worth it.
Yet, so many people and organizations seem to prefer obscurity to actual security.
I am realizing I were only good at tests… So sad that I am one of the dumbest and just managed to fool some people with grades. But that does not help with real life.