Security by obscurity can be a great additional measure for an already secure system. It can reduce attack surface, make it less likely to get attacked in the first place. In some cases (like this one) it can also be much easier to break than expected.

I mean you could argue that this is more of a multi-factor authentication lesson.

Just knowing 1 "secret"— a subdomain in this case —shouldn't get you somewhere you shouldn't.

In general you should always assume that any password has been (or could be) compromised. So in this case, more factors should be involved such as IP restricting for access, an additional login page, certificate validation, something...