One defender, many attackers, I don't see how the economy of scale can be positive for the defender.

Assuming your code is inaccessible isn't good for security. All security reviews are done assuming code source is available. If you don't provide the source, you'll never score high in the review.