Agree with most people here that security by obscurity is bad "by itself".
For example, changing your public server ssh port from 22, to say, 2942, is a great way to limit the amount of bot autoattempts from trying to log into your server. Having a password-less ssh port 2942 open is clearly bad, but not when combined with all the standard good practice ssh security.
My understanding is that it's important to keep SSH (and other services) on a privileged port. (I think the default is <1024.) Otherwise, unprivileged malware that could cause the SSH server to crash and take over the (unprivileged) port. No idea if this actually happens in practice though.
For example, changing your public server ssh port from 22, to say, 2942, is a great way to limit the amount of bot autoattempts from trying to log into your server. Having a password-less ssh port 2942 open is clearly bad, but not when combined with all the standard good practice ssh security.