You're not wrong but considering all of the recent 0-day exploits, I would argue that it's a better practice than the wack-a-mole response from vendors like Fortinet & Barracuda.
When the vendors you're buying from aren't taking security seriously, I suppose you take any necessary step in limiting exposure. I'd also argue that outside of the big boys like Cloudflare, no one else is displaying their topology via their own website.
In an ideal world everyone would share their architecture, stack and so on and we as an industry we could learn between each other and everyone would have a net gain out of this information sharing.
In reality at the time that you share something in good faith you will always have someone trying to exploit it.
One example: I’ve worked in a CV production API to recognise certain documents. More than 900 days with no spikes and only real users in the system.
Then the CTO went to a conference to talk about how our performance was great and made a very large advertisement about our system. End result? 1800% spike, and tons of frauds and adversarial stuff coming.
Not being cynical, but I do not think that we’re entitled to have any disclosure from any private company in that regard.
https://www.bleepingcomputer.com/news/security/fortinet-new-...
When the vendors you're buying from aren't taking security seriously, I suppose you take any necessary step in limiting exposure. I'd also argue that outside of the big boys like Cloudflare, no one else is displaying their topology via their own website.