It is also important to consider the complexity too.
There is no such thing as "Security through unnecessary complexity", only the opposite.
The examples about changing port numbers are great, they are simple configuration changes, when people start wanting to add obscurity "features" they often wander down the path of complexity, inevitably adding vulnerabilities.
That's because you're looking at the order entirely wrong - you secure then obscure.