"Security through obscurity is bad" because most companies that employ it tend to think that's enough.
This is similar to "don't roll your own crypto", which doesn't actually apply to everyone, but it's meant to stop the majority from screwing up in case they decided to do just that.
Agreed. It very very rapidly becomes a crutch. Seen it a zillion times. By forcing transparency you force developers to write good code. You also get more eyes on the problem.
We have to deal differentiate obscurity versus runtime information leaking.
Security by obscurity is like a moat around a castle. A moat makes assaulting castle walls harder. However, no one who could afford something better would propose to make a castle by putting a ditch around a house. (There were some early castles that were like this, but they became obsolete.)
This is similar to "don't roll your own crypto", which doesn't actually apply to everyone, but it's meant to stop the majority from screwing up in case they decided to do just that.