True. However, as I mumbled, encryption is the only truly effective security method.
It's helpful to know how the order and sequence of making a wireless connection. I won't describe the whole process but you can see it happen if you enable tracing and look at the connection progress logs: In order to do the key exchange cerimony for encryption, the devices need to initially associate using the unencrypted MAC addresses. If MAC address filtering is active, the initial association will fail. If you have a valid MAC address, it will connected. It's as simple as that to detect MAC address filtering and determine if a sniffed MAC address will work.
You need quite a bit of hardware and carnal knowledge of the design in order to permanently change a MAC address. It's usually in a protected parts of the firmware flash memory where it's safe from user screwups. All the various OS's read the MAC address, and then save it in a configuration file somewhere for later use. Changing the MAC address is nothing more than changing the saved value.
In the distant past, I was doing some wireless testing which included determining how many MAC addresses an access point could handle. (Reminder: All 802.11 wireless networking is done at the MAC address layer 2 level. Layer 3 or IP addresses are strictly for management and configuration). I had software that connected to an AP, disconnnected, changed the MAC address, reconnected, disconnected, and so on. Each connection had a new spoofed MAC address. The question was how many connections could it handle before failing, how did it fail, and how gracefully did it recover. Nobody was very happy when I reported that the system would hang and die long before the connection tables were full. Hopefully, things have been fixed in todays devices.
I play both sides of the wireless fence, so it's difficult for me to provide a consistent personal policy. I also hate getting into security discussions as they always end in acrimonious disagreement. For the purposes of this discussion, I'll suggest that the manufacturers of commodity hardware are at fault for NOT providing routers and access points that are secure by default. Out of the box, the router should have a pre-assigned secure password and a pre-assigned secure WPA2 key. Only after the user configures the router can it be reduced to a lower security level. Currently, all but 2wire routers are delivered with no password (or a default password), and encryption turned off. I ran a little mini-campaign called "Secure by Default" for a few years trying to get the major players to simply understand the problem. I even suggested that they might be deemed liable for any financial damages resulting from the misuse of their routers. Certainly, by looking at the gaudy box covered with security related buzzwords and acronyms, a casual buyer would ASSUME that they were well protected. Anyway, I was told that convenience of setup was more important and not to bother them with such problems. Oh well.