Just to add to the fray, indeed some polite discourse is the style of this forum. Sorry to see it get a little bit too lively, but good to see some passion. The support here is amazing, strange but true it can be more timely in my experience than if you try for premium paid support! So even though I'm a premium subscriber I always go for support here first (unless for a premium feature, of course...)
As for renaming WordPress core files, in my opinion that's a basic security practice that stops some bots cold in their tracks. Examples of files we rename because we don't need and they just attract pests:
readme (renamed by WF, fine)
wp-mail.php (hmmm, some email to hack into, I'm there!)
wp-signup.php (sounds good, let's all sign up!)
wp-trackback.php (you have to be kidding me)
xmlrpc.php (one of the latest pest attractants courtesy Wordpress)
As for the necessity of renaming the readme by Wordfence, in my view, if a bot is looking for a file and it's not needed, it should be renamed or deleted, and probably added to the Wordfence honey pot. It doesn't matter if those files are security risks in of themselves or not. If they attract pests, they are a risk by default.
Basic tip, just as WF does with the readme don't just rename as for example xmlrpc-renamed.php as that's too easy for a criminal to guess. xmlrpc-random-characters-renamed.php is better.
Suggestion for Wordfence, any time you rename a file, perhaps you should include the word "renamed" in the added filename text, so we know what we're looking at when we see those random strings of characters. I got confused when I first saw the Wordfence renamed readme file...
MTN