That's true, and there's something to be said for that, though I'm ambivalent about exactly what that something is. That's part of why I tried to make it clear that my point was "Don't knee-jerk on this" rather than "You must stick with Rails or you are a fool." I'm not going to preach security practices at people — there are people much better qualified to do that — I just want people to make sure they understand what tradeoffs they're making with whatever decision they make. A lot of people have drastic misconceptions about these sorts of things. If you're intending to have a little site that largely depends on security through obscurity not to get owned, you should at least know that.