Nowadays there are armies of bots that will find an insecure internet-connected server within seconds. Security through obscurity isn't much of a thing anymore.
These bots you are talking about are not intelligent, they do not find "insecure" servers to break into. They simply brute-force and exploit known bugs on popular services.
There is no botnet targeting web services running on DOS, because no one is running web services on DOS.
Finding insecure servers, what human hackers would do, requires persistence, time and a working brain.
Bots, instead, throw shit at a wall and see what sticks. Move your SSH server with credentials root:root on port 1234 and notice how many bots get utterly defeated (only for sake of argument, because OpenSSH has a banner which makes it easy to identify wherever it's running)
These tend to try the top _n_ exploits on common ports. In fact, a little obscurity rids oneself from common attacks. I usually move my Wordpress admin access to a different port and URL and that really does stop scripts from trying exploits all day long. (Of course, I make sure everything else is set for security, too.)
Yeah. I eliminated a persistent bot attack on a webapp in minutes by simply adding a very easy question on user signup (like "what's 1+1?")
Security through obscurity is an overused concept: it doesn't work against determined humans, but on the greater internet, when your adversary are bots, it is extremely effective.
It even works on determined humans. It's defeatable but dissuades many humans and slows down the rest. It is a useful layer in security. It just can't be the only layer.
There is no botnet targeting web services running on DOS, because no one is running web services on DOS.