Risk is not just a formula. Risk is also "formulaic": when you get people used to an idea, they become blind to things outside of that idea, and there in lies the danger.
If your corporate IT group regularly asks users to send in their passwords via e-mail in order to perform some remote maintenance, then the users will be habituated to sending their password to a familiar e-mail address. If someone from outside their company asked them for their password, they would immediately say no. But an e-mail with the right "From: " address, they would quickly fall for. So it becomes easy to trick the users into sending their password to an attacker in some circumstances, because of the assumptions they make.
Security by obscurity is just another form of this: a practice which isn't really secure, but people may think is secure, because it seems to avoid the simplest, most stupid attacks. But literally any action you take could prevent the simplest, most stupid attacks. That doesn't mean that any action you take makes you "more secure".
Hiding a key under a door mat or in a sun visor isn't "more secure" than leaving it in plain view. Anyone who's not a total moron will find it, and if that's your whole security posture, you're screwed.
If your corporate IT group regularly asks users to send in their passwords via e-mail in order to perform some remote maintenance, then the users will be habituated to sending their password to a familiar e-mail address. If someone from outside their company asked them for their password, they would immediately say no. But an e-mail with the right "From: " address, they would quickly fall for. So it becomes easy to trick the users into sending their password to an attacker in some circumstances, because of the assumptions they make.
Security by obscurity is just another form of this: a practice which isn't really secure, but people may think is secure, because it seems to avoid the simplest, most stupid attacks. But literally any action you take could prevent the simplest, most stupid attacks. That doesn't mean that any action you take makes you "more secure".
Hiding a key under a door mat or in a sun visor isn't "more secure" than leaving it in plain view. Anyone who's not a total moron will find it, and if that's your whole security posture, you're screwed.