I think the contribution of Nielsen's idea, if any, is to remind us all that security always involves tradeoffs. You're right that masking passwords provides some protection--most security measures, even the inane ones, provide some protection. You know, someone really could hide a bomb in their shoe.
But of course that is not the end of the story. Nielsen, and others such as Bruce Schneier, want us to ask how much security the solution provides, what the costs are, and whether it provides a good tradeoff. If shoulder surfing is relatively rare, and the possible harm for the site in question is small, and the costs are relatively large (lost customers etc), then maybe a site or program shouldn't mask passwords even if they provide some security.
Sure, Jakob Nielsen may be wrong about the tradeoff in this case, and may not have enough evidence to back up his arguments, but I would argue that pointing out that the solution provides a nonzero amount of security does not resolve the question.