I think that's a naively academic and cryptographically focused view of security.
Bad actors are not a monolith. There are many different types of attackers with different means and motivations who will take different actions against different targets and different types of technologies. Threat profiling is a thing for a reason, and it absolutely does matter whether or not a particular threat has the means and/or motivation to exploit a vulnerability. It is the only thing that does matter, outside of a technical academic context.
Yes, security through obscurity is not an rigorous approach to implementing a cryptography system, but it is a completely valid approach in other security disciplines outside of cryptography or digital security. Too many people make the mistake of incorrectly assuming that cryptography security principles apply to the broader practice of security as a whole. Digital security is only as useful as it is to support a holistic model of security. Digital security in isolation is just an academic exercise. It has to be implemented to be useful, and when implemented, operational security and threat modeling are very relevant.
> If a vulnerability is patched, it doesn't matter if there are 1 or 1,000 tools targeting it.
It does matter what the real-world observed rate of patch compliance is, the cost to patch, and whether or not those tools will be used nefariously. If you have an academically obscure remote exploit for a pacemaker, that requires a hardware patch, please don't write a script that makes it easy for non technical people to exploit, and post it on GitHub. While this will certainly encourage a fix to future pacemakers, the cost may not be worth it.
Bad actors are not a monolith. There are many different types of attackers with different means and motivations who will take different actions against different targets and different types of technologies. Threat profiling is a thing for a reason, and it absolutely does matter whether or not a particular threat has the means and/or motivation to exploit a vulnerability. It is the only thing that does matter, outside of a technical academic context.
Yes, security through obscurity is not an rigorous approach to implementing a cryptography system, but it is a completely valid approach in other security disciplines outside of cryptography or digital security. Too many people make the mistake of incorrectly assuming that cryptography security principles apply to the broader practice of security as a whole. Digital security is only as useful as it is to support a holistic model of security. Digital security in isolation is just an academic exercise. It has to be implemented to be useful, and when implemented, operational security and threat modeling are very relevant.
> If a vulnerability is patched, it doesn't matter if there are 1 or 1,000 tools targeting it.
It does matter what the real-world observed rate of patch compliance is, the cost to patch, and whether or not those tools will be used nefariously. If you have an academically obscure remote exploit for a pacemaker, that requires a hardware patch, please don't write a script that makes it easy for non technical people to exploit, and post it on GitHub. While this will certainly encourage a fix to future pacemakers, the cost may not be worth it.