What I've found is it isn't companies won't pay for good people, they very much will, as a sec engineer you can make 200k pretty easily with just a few years of experience in a lot of places.
The problem is once these people are hired they come in and aren't given power to do anything, or the "drive for security" isn't actually present in the organization once people realize it might actually force people to focus on things other than pushing features as fast as you can.
This issue is further exacerbated by the fact that there is not an insignificant portion of info sec guys that believe they have to come in and save the organization from themselves and that they are the heroic white knight valiantly protecting the company from the unwashed masses of wild wild west cowboy developers and incompetent sys admins.
I once worked with one of those heroic security guys before. He setup the firewall so that the public website was only accessible from a white list of known up addresses. New users would need to submit their IP address to him in person before they’d be allowed to browse the site.
He insisted that this was industry best practice and it took two weeks before the site was online again.
The problem is once these people are hired they come in and aren't given power to do anything, or the "drive for security" isn't actually present in the organization once people realize it might actually force people to focus on things other than pushing features as fast as you can.
This issue is further exacerbated by the fact that there is not an insignificant portion of info sec guys that believe they have to come in and save the organization from themselves and that they are the heroic white knight valiantly protecting the company from the unwashed masses of wild wild west cowboy developers and incompetent sys admins.