Despite the "only security through obscurity" meme, you need to understand it, not just say it.
There are only two types of security:
1) security through obscurity,
and,
2) security through inaccessibility.
They can, however, be intelligently combined.
Please note that private key encryption is security through obscurity. Cutting the phone line is security through inaccessibility. Saying that "it's secure because they can't get the prime factors of that key" is security through obscurity.
Despite the meme, security through obscurity is widely and properly used. What's wrong if false obscurity, which is common. If you don't properly assess just how obscure your secret is, then you have a security failure.
So having a monoculture is reduced security, because that means that there are a much larger number of entities seeking to discover the secret...and any breach in security cannot be easily contained. If you don't have a monoculture, then a single breach cannot be as widely damaging, and is thus also less valuable to find. This is a sort of network effect.
OTOH, a diverse community means that more effort needs to be devoted to security, because each branch is a separate thing to be maintained. So it's not all benefit or all loss, it's a mixture.
FWIW, I choose not to have flash installed on my system, despite the fact that it would have some utility, because I consider that the weakness that it presents is not worth the benefit. The ability of refuse to have such a service installed allows increased security...at a cost. For some people the cost is higher than they are willing to pay. This reduction of the attack surface is a form of security through obscurity mixed with security through inaccessibility, i.e., I have become inaccessible to some forms of attact, and I have reduced my visibility to many attackers.