I believe security through obscurity is good and a "nice to have".
I have disabled password login for root and all other users on my servers, and only accept very long private keys...
It seems pretty good for me.
+ Aaaand on the top of it, I've changed SSH port to something else.
So, if a 0day exploit is discovered on OpenSSH Server (or on SSL library or glibc or any other sub component I don't know) I will have more time to fix this issue than anyone else. Because probably automated bots will search through all IP v4 ip addresses and probably they will check on 22 only.
I know, I am not perfectly safe. Because if someone really wants me down, he/she can search all the ports on my server and will surely find ssh port in seconds.
But, in a mass targeted assault, my server (non default port) is probably not in the "first to look for" list.
Let's say you have a blog and the default administration panel address is "example.com/login" or "example.com/admin" or "wp-login.php". It is possible for attackers to search these addresses and try automated exploit tools on mass.
Like I said before, if an attacker is targeting me specifically, it can make a brute force search on urls and try to find admin panel; and will probably succeed. But it is not possible to search all url samples on millions of domains. See WordPress Hardening post: https://codex.wordpress.org/Hardening_WordPress
To sum up; keeping your systems up-to-date and picking strong passwords is the real deal in terms of security. On top of it, disabling default user names and keeping your entry points out of sight is the cherry on the top of cake.
Addendum: You can read these 2 posts for a more detailed examples: