My main disappointment is that I'm not sure it will be reasonably applied, as so many things could be interpreted as having national security implications when in reality they're only used with security-sensitive data.

Or alternately, every system that handles private information (which, for a government, is basically all of them) will be considered to be a security risk to open-source even though the dataset will still be private.

"Security through obscurity" will mean that nothing gets opened.