Ever since my College Operating System's class, I've heard this line misunderstood time and time again. The real security principle here is "Principle of Least Privilege", not "Security through Obscurity". Facebook (I hope) isn't relying on some horrible security system to protect their users in the hope that no one guesses what it is. More likely, they are just hiding information that unprivileged users don't need to know. Maybe they rolled their own, maybe they are using someone else's technology, but they certainly have no obligation to their users to spell out exactly how they handle their logins.
Security works best when it is like an onion - layered.
Tweaking a password hashing algorithm (for example, changing the initialization constant in bcrypt) does not hurt security, and means that the attacker will not have sufficient information to crack the passwords with just a database dump, and even if they have everything a work factor should still deter cracking. Using md5 with the output xored against a constant would not, however, do much good.