That's a good point, but I think it's a similar issue to computer security. Yeah, changing your SSH port to a custom one isn't going to keep out someone who scans your ports, but it will keep out the millions of losers who are looking for easy prey and not bothering with a portscan. With each security measure that is potentially crackable, but harder, the pool of crackers that are going to put in the effort gets smaller.