Agreed, what's going on should be completely transparent. The security of the system must only depend on the private keys and implementation correctness.
While security by obscurity is not ideal, it is an additional hurdle. Apple knows that security flaws in their stuff is very valuable for both nefarious and state hackers, so the chances of someone finding an issue and reporting it to them to resolve it are kinda low.
Good point, though I imagine a large bounty payable to an anonymous bitcoin address could encourage individuals within such an organization to divulge vuln info.