The higher level of abstraction behind an article like this is that security is a mitigation activity within a broader risk management plan. Most of the time, the best practices in the security field are best practices for good reasons - they costs are a reasonable to mitigate the business risk of not having security, so we do them.
But there are times when you just need to discourage people, not truly secure a site. Not many, but they do exist. Pseudo-security in those cases is cheap and meets the business needs. Likewise, there are times when best practices aren't good enough, and you need to go beyond the norm.
Either extreme is driven by thinking through the acceptable risks, evaluating costs, and making a decision.
But there are times when you just need to discourage people, not truly secure a site. Not many, but they do exist. Pseudo-security in those cases is cheap and meets the business needs. Likewise, there are times when best practices aren't good enough, and you need to go beyond the norm.
Either extreme is driven by thinking through the acceptable risks, evaluating costs, and making a decision.