Perhaps a lot of brute-force try-them-all routines skip the all zeros option, and others consider an all zeros result to be invalid (internally mapped to a "no match" result or so forth). A truer security through obscurity idea I can't imagine though so if that is the case "arguably more secure" is very arguable!