Defence in depth acknowledges that there is no perfect security system.

Even if mathematically unbreakable, the implementation won't be.

This is the whole premise of defence-in-depth... delay rather than prevent.

Well sure, but there are still good and bad security systems. How does the cost/benefit of obscurity compare to alternatives?

that would be an interesting study... but one that is impractical I think.

Well until there's evidence of it's effectiveness I'm going to avoid using obscurity. I know how to achieve an acceptably low break-in rate using mathematically valid encryption etc.. Defense in depth shouldn't be an excuse for using practices you haven't evaluated the effectiveness of at all.

You're missing the point.

An acceptably low break in rare using mathematically valid encryption.... Yes, fine... Given a perfect implementation.

You haven't got one of those.

No, you're missing the point. I'm talking about the real-world implementation that I have.

I don't think it's too much to ask before adopting a given security policy that it provide some evidence that it increases security. Or should I also be gathering a collection of rocks that keep hackers away?