Also, I must take some issue with the broad statment:
.... security by obscurity never works....
Security-by-obscurity is not considered a very secure form of security, but we all use security-by-obsurity every day of our lives. The Department of Defense is the US has many 'obscurity' techniques and processes used to augument security management and security services.
In fact, obscurity can be a great enhancement to a very solid 'non obscurity program'.
For example: take the user name ROOT. I have plenty of servers where we have removed the user name ROOT and replaced it with something else, say 'barbara'. So, someone sniffing the network when you accidently login as 'barbara' might not be so excited because they are looking for 'root'. Of course, the UID is still 0 and 'barbara' is not the name of the superuser. However, a little obscurity can help and does.
Same is true with TELNET. Change the port to something else and port scanners get really confused.
Same is true with SENDMAIL. Change the configuration file to say 'welcome to sendmail version 2.3' and the version is so different than anything in the exploit database that the 'obscurity is very useful'.
Same is true for a login MOTD and getty. Instead of 'Welcome to Linux Version 1.2' many change the TELNET return to read 'Welcome to Fore ATM Switch Fabric'
Or even 'Welcome to Microsoft 2000 Professional'
... when you are running UNIX!! The indications and ramifications are obvious.
I totally agree, obscurity is not great, but it does have some nice applications that are useful combined with other stronger methods