Re: Not Surprising.
There are really two schools of thought on this.
The first is that a highly mobile attacker can harry the hillsides and strike at weak points, drawing gout the limited manpower that an entrenched static defended can spare and whitting them down over time through ambushes. The mobile attacker sets the tone of the engagement and chooses the time and place.
A well prepared defender, however, can whether a siege for years. By being static they can bring to bear far heavier and more powerful weaponry, making even approaching the fortress spectacularly costly. A well prepared defender has either alternative (underground) routes of ingress/egress and thus can bring in supplies to weather the siege or they have internal generation capacity that means so long as the attackers can be held at bay, they can live there indefinitely.
A mobile attack force has easy access to it's own supply lines easily, and could theoretically discover the emergency routes for the static defender. But the mobile force is vulnerable to cavalry sent out by the static defender to harry them behind their lines.
War is not so simple as to boil it down to "a mobile force will always beat a static defender." Ask the Germans in WWII what they thought of the British 17 pounder anti-tank installations!
War is a game of knowing your enemy, and customizing your tactics to suit. The side with the best intelligence wins. If I am defending a great big fat target I have two options: try to hit the attackers way before they get within firing range or try to make it so costly to get within firing range that they wouldn't dare try.
The first approach requires me to know how many of the attackers there are, what they're equipped with, where they are and where they are going. That's four points of data needed to successfully find and kill an attacker using a mobile force.
The second approach requires me only to know two things: how far can they shoot and how hard do those shots hit? If I know that then I can design my static defenses to shoot farther than them and I can make rational choices about "shoot more things to wipe them out before they get in range" or "invest in armour so that I can tank a few hits whilst I mow them down."
They'll change tactics and maybe even invent new weapons. As the defender, I have to know about that before their own soldiers do and be able to develop countermeasures before they can bring them to bear. I'd also be well advised to keep a light cavalry regiment on hot standby in case I happen actionable intelligence. Never underestimate the blow to morale that a successful cavalry raid can cause!
If what you are defending is a small target - man portable, say - then by all means splinter into a thousand different groups and dissappear into the hillsides. So long as you have a means of communicating you can coordinate counterattacks against any attacker and use guerrilla tactics to drive them out of your land.
But that's really the question, isn't it? What are you trying to defend? Purpose dictates options, and limits on options are limits on available strategies. Once you've picked your strategies, it comes down to the tactics of the individual units, thier ability to communicate...
...and the quality of the intelligence you've based your battle plan on.
Infosec has four parts: prevention, detection, mitigation and response.
It is impossible to prevent all attacks. It is impossible detect all attacks. It is impossible to mitigate damages from all attacks such that they require no response. Anything that makes it to the "requires response" layer will be huge, so have your response well rehearsed.
Prevention is a lock on a front door. It might keep a few people out, but it falls to a good swift kick. Detection lets you know when someone has kicked in the door and allows you to react. Mitigation would be the ability to reconfigure the hallways so that someone who has taken the time to kick down your front door is presented with a trove of easily stealable goods that look valuable but are, in fact, worthless.
Response comes into play when the fellow who has kicked in the door realizes that the hallways have changed, pulls out an exacto knife, and cuts through the drywall to get at the surprise on the other side. Here you could have anything from a 40lb rottweiler waiting to simply "having insurance" to deal with the theft.
Of course, if you'd had good intelligence that a skilled attacker was going to attempt a breach, you could save yourself some trouble by hiring a cop to watch the place while you're out during the window where the attack is supposed to take place. You could undertake inconvenient security measures for the period of high vulnerability, like having legitimate staff use the back door and/or increasing the number of honey pots you have to work through to get to the good stuff.
And of course, don't forget cavalry raids of your own: get a digital attacker to drop their payload on a honeypot system, then crawl back through the link and nuke the CNC servers. Preferably by figuring out where they physically live and having large men with automatic weapons bust down the doors with a warrant and cart the servers away for analysis.
Never simply rely on a large, sturdy-looking lock. By the same token, never assume that a fixed installation can't be adequately defended.
As the man in the original article said, the secret is to raise the cost to the point that the attacker won't want to play any more. If your guns can outshoot theirs, then they lose so many men getting into firing range that attempting to attack your castle is an exercise in insanity.