[Arnt]

They have a threat model, their threat model is based on reality, and their security is pretty good against the threat model. How can you say they "don't understand security"?

They also (viewed from a distance) seem to ignore people who talk about security without talking about threat models.

Security by obscurity seems to be very nearly irrelevant to the Indian Electoral Commission's security model. Security by obscurity is bad, of course, but in that model it's such a minor factor. If I were the commission I'd file people who disregard the threat model and talk about minor factors under "b" for "bikeshedders".