The way I think about this, there are some aphorisms that work as actual design principles, and some that are just used to defend a decision you have already made to someone who doesn't need to understand it.
"There's no such thing as security through obscurity" is an example of the second; you can use it to mean "shut up and stop asking questions about the secure system I designed," but you can't use it to design a secure system or explain why your choices are correct.
The useful design principles behind "no security through obscurity" are just a little more complicated -- they're more like "every secure system must have defined entropy sources (such as keys) that provide a lower bound on the security budget against a hypothetical attacker with knowledge of everything except for the entropy sources." And, "because obscurity does not measurably improve the lower bound on the security budget, it is only a good idea if it also does not raise the chance of implementation errors, does not make it harder to obtain third party reviews of the system, and does not make the security of the system harder to prove." An argument about whether something is security-through-obscurity-in-a-bad-way probably actually wants to be an argument about an underlying design principle along those lines.
I don't exactly begrudge people using "shut up and trust me" phrases in situations where that's needed, but I think they're almost always unhelpful in forums like this.
I was going to make approximately this point. However, I think it's also important to have some of those "shut up and trust me" phrases codified and have them available for the layman via Google. Because sometimes those people demand "proof" or they'll go searching for it themselves and if it's right there to be found and most major sources agree... well, the discussion can then be "Is this just obscurity where security is needed?" AS IT SHOULD BE.
If you get right down to it, passwords are just obscurity. Usernames are just obscurity. In this very thread people are dismissing port knocking while it's functionally equivalent to a password.
I will personally stand by "security through obscurity is not security" forever because that way we can get to the actually interesting question -- what level is needed for this service?
Let's take a simple example from the public Internet -- you want to share something. So you put it on a server with Apache. You add TLS and PFS. You hide it in a folder structure somewhere. You add a single-use token or just htaccess.
Any of those individually would be obscurity, but put together they are most likely more than enough for... well, anyone. So is it still obscurity or actual security? That's a debate for the ages, but I think most people would agree all of those put together are fine-ish, but pick just one method and it's just obscurity.
This whole thread is basically just a philosophical debate where half the people haven't read the article, the other half disagrees with minutiae in the article, the third half disagrees with major points of the article, the 4th half is sharing anecdotes and the 5th half just wants to participate.
"There's no such thing as security through obscurity" is an example of the second; you can use it to mean "shut up and stop asking questions about the secure system I designed," but you can't use it to design a secure system or explain why your choices are correct.
The useful design principles behind "no security through obscurity" are just a little more complicated -- they're more like "every secure system must have defined entropy sources (such as keys) that provide a lower bound on the security budget against a hypothetical attacker with knowledge of everything except for the entropy sources." And, "because obscurity does not measurably improve the lower bound on the security budget, it is only a good idea if it also does not raise the chance of implementation errors, does not make it harder to obtain third party reviews of the system, and does not make the security of the system harder to prove." An argument about whether something is security-through-obscurity-in-a-bad-way probably actually wants to be an argument about an underlying design principle along those lines.
I don't exactly begrudge people using "shut up and trust me" phrases in situations where that's needed, but I think they're almost always unhelpful in forums like this.