It's just a good component of a defense in depth approach. Where it's bad is when it's the only defense. Putting a sensitive server behind port knocking will cut down on 99.99999% of random internet IPs spraying attacks at it, so it's worth doing. Just don't rely on it for the only auth check.