This is the problem with "sound bite" bits of conventional wisdom. The more it's used and misused, the less it's actually understood. People hear "Security through obscurity is bad" and just interpret those words however they want without listening to the rest of the actual advice being given.
It's not to never use obscurity to your advantage. It's that you need to be aware (and far too many weren't at one time) that you cannot rely on obscurity as a form of defense.
If I have an old, buggy unpatched version of an admin page sitting on an obscure random URL, but I decide I don't need to bother patching it because eh, it works and it's too much effort to patch and what are the odds someone will guess my super secret random URL, then I need to think about why "security through obscurity" is bad.
And that false sense of security is why they say security through obscurity can be worse than no security at all. They key is to promote vigilance and actual hardening of systems and not expend precious time devising ever more elaborate obscurity hoops that cost you more than they cost an attacker in time and effort to defeat, and are in the end ineffective.
That's not to say you should leave ssh listening on port 22, you really shouldn't. It's like the difference between leaving your front door unlocked and leaving it unlocked and putting up a big neon "Open 24 Hours!" sign in the window.
China has been using the last 19 years to do just that, building out their infrastructure and R&D (and in other countries, too, see the Belt and Road initiative) while the US has bogged itself down in the middle east. In 2003 when the US went to war in Iraq, the US GDP was 8 times the size of China's. Today the US GDP is 1.4 times China's. The Chinese economy has grown 24 times over in the last 25 years. The US economy has about tripled (a little less) in that time.
If you read the piece OP linked (I highly recommend it, it is outstanding), or the whole book, the entire point is a warning about the looming threat of WW2, and his idea of the 3 practical steps to keep the USA out of it. So he was indeed very much against the US involvement in WW2. That's the main point of the book.
It's not to never use obscurity to your advantage. It's that you need to be aware (and far too many weren't at one time) that you cannot rely on obscurity as a form of defense.
If I have an old, buggy unpatched version of an admin page sitting on an obscure random URL, but I decide I don't need to bother patching it because eh, it works and it's too much effort to patch and what are the odds someone will guess my super secret random URL, then I need to think about why "security through obscurity" is bad.
And that false sense of security is why they say security through obscurity can be worse than no security at all. They key is to promote vigilance and actual hardening of systems and not expend precious time devising ever more elaborate obscurity hoops that cost you more than they cost an attacker in time and effort to defeat, and are in the end ineffective.
That's not to say you should leave ssh listening on port 22, you really shouldn't. It's like the difference between leaving your front door unlocked and leaving it unlocked and putting up a big neon "Open 24 Hours!" sign in the window.