I agree with your understanding of security by obscurity. But I think the popular understanding has started to be more along the lines that the author counters. That if any security measure is "obscurity" then don't do it, it's bad.
This is the problem with "sound bite" bits of conventional wisdom. The more it's used and misused, the less it's actually understood. People hear "Security through obscurity is bad" and just interpret those words however they want without listening to the rest of the actual advice being given.
It's not to never use obscurity to your advantage. It's that you need to be aware (and far too many weren't at one time) that you cannot rely on obscurity as a form of defense.
If I have an old, buggy unpatched version of an admin page sitting on an obscure random URL, but I decide I don't need to bother patching it because eh, it works and it's too much effort to patch and what are the odds someone will guess my super secret random URL, then I need to think about why "security through obscurity" is bad.
And that false sense of security is why they say security through obscurity can be worse than no security at all. They key is to promote vigilance and actual hardening of systems and not expend precious time devising ever more elaborate obscurity hoops that cost you more than they cost an attacker in time and effort to defeat, and are in the end ineffective.
That's not to say you should leave ssh listening on port 22, you really shouldn't. It's like the difference between leaving your front door unlocked and leaving it unlocked and putting up a big neon "Open 24 Hours!" sign in the window.
