Obscurity definitely helps. After all, security isn't a set process. People don't do A, then B, then C. Some do A and B, some B and C, some A and D. We all have holes and they don't correspond to any hierarchy.

However I'm not asking for immediate release of a breach, other than notification to affected parties. For the technical details, give people some time, maybe 4-6 months, to remedy the issue and then they need to disclose some technical analysis. Not necessarily your architecture though some disclosure is unavoidable, but definitely some technical details that would enable others to check their systems for issues.

I know this might cause more attacks, but it would also force companies (or maybe insurance companies would force them) to spend time and $$ to clean up poorly configured or architected systems. Maybe SQL Injection would be less of an issue because poor coding practices using dynamic SQL and implicit parameters, would be eliminated.