The problem, as I see it, is that in the past five years a lot of talent threw their hat into offensive security camp.
While it is definitely an interesting field, we have a distinct imbalance creeping up of defenders vs. pentesters, readteamers and security researchers.
Unfortunate reality is that offensive security is more or less universal while defense is, in large part, vendor specific. If you are hired by a company that is a Cisco shop, you are pretty much bound to rely on their security portfolio. If your employer using Qualys, then that's what you are tied to, etc..
Additionally, enforcement of corporate security policies frequently constrain the ability of their employees to use anything not whitelisted and they are prohibited from venturing outside of their defined responsibilities by the frameworks adopted by the companies.
IMHO, this got to be pretty frustrating for the talented folks trying to advance both, their knowledge and careers.
Yeah, right. As I have noted elsewhere, and frequently, there's been a shortage my whole career. I ain't rich yet. There's a bit of a disconnect.
All those cybersecurity hirings, they're on the "to be approved" pile, right next to the plan to fix pensions, social security, medicare, fossil-fuel dependency, sustainability, two-party politics, hot dogs coming in packages of 10 but rolls in 8, etc, etc. We live in a world where we exhaust ourselves with defining problems. After all, that's what the folks at the top of the pyramid (i.e. politicians) do a great job of - blame. It takes actual brains and leadership, however, to solve them, and those are far more scarce commodities than cybersecurity professionals.