Security doesn't always mean "seeing something you're not supposed to see". He's saying that the boards are public, so people are able to just change the number at the end of the URL to find them all.
You can have the same issue with scrapers. It's much easier for scrapers to get all your pages if you use sequential numbers for unique IDs.
Yes, a search engine could index the pages, but the big engines will obey your robots.txt, and the small engines will never know that you exist most likely.
So s/he's not trying to "secure" anything as much as just hide it.
Security by obscurity isn't a bad practice, it just shouldn't be your main practice. Absolutely design your system with the assumption that the attacker has complete access to all information about your setup, but it's still reasonable to try to obscure as many of those details as possible. Your setup will have flaws and you will make mistakes, so you want to try to minimize the damage those mistakes might cause and increase the time/effort needed to exploit them.
You can have the same issue with scrapers. It's much easier for scrapers to get all your pages if you use sequential numbers for unique IDs.
Yes, a search engine could index the pages, but the big engines will obey your robots.txt, and the small engines will never know that you exist most likely.
So s/he's not trying to "secure" anything as much as just hide it.