You're right in your facts, but I think not-quite-right in spirit.
Port-knocking adds some entropy to your effective password, yes. But if all you wanted was
some extra entropy, you'd be much better off just choosing a slightly longer password or key
-- just as secure, and substantially more convenient.
But people use port knocking despite this. AFAICT, there are two reasons: (1) its
rube-goldbergian complexity and attendent ritual appeal to a certain sort, who feel it *must*
therefore be secure. This is exactly the impulse that security people are (rightfully) trying
to squash when they sneer about security through obscurity. (2) it's relative scarcity does
provide some security benefit -- since only weirdos use port-knocking, the script kiddies
don't bother trying to brute-force it, and casual attackers will in fact be repelled. This
also makes it easier to distinguish casual and determined attackers -- e.g. only one leaves
lines in the ssh logs -- and so on. If it ever becomes popular, of course, the script kiddies
will catch on and this effect will disappear.
So port knocking provides no magic bullet against determined attackers (but people who
encounter it often fall for (1) and think it does, and the more it gets advocated the more
this nonsense gets carried along), not much benefit in the long run (which makes it curious
that people advocate it at all; if you are using port knocking for the "right" reasons, you
should discourage everyone else from using it, which may make some suspicious whether people
*are* using it the right reasons), and engineering-wise it is just so *silly* that it leaves a
bad taste in the mouth -- no-one wants this to become the usual way of designing security