Just some thoughts on your discussion,
I think there is a healthy cost balance that needs to be achieved, as you say mixed blend is required. The risk and business requirements always determine the controls such as Threat Hunter teams.
Threat hunters need to live front lines of security research, attuned to the latest threats, methods and tactics. They need/want the latest tools and need to go to hip hacking and infosec events and conferences, do the latest and greatest training courses. There are only so many people with the talent and mentality to be effective.
From my perspective, the success of a threat hunting team is highly dependant on the human resource factor. An efficient threat hunting team would I expect cost lots of money. However, there is a dependency on the quality of the human resource; as they get certified and gain more experience, they will just jump ship for better wages, conditions. So where is the incentive to spend the budget on training them to such high skill levels? As the SANs reading room white paper highlights the return of cost balance is a sliding scale that the business requirements and risk will dictate.
The tools are getting better, with AI learning and pattern recognition, and quick identification of credential misuse which will reduce the human dependency a little and make proactive defence and threat hunting more affordable.
Till then I believe the ability to deploy highly skilled threat hunting teams and other active defence on their network will not be typical. However, ultimately regardless the blue team will always be on the back foot, and it is still a game of catch up, defence in depth stands true.
What are your thoughts on the disclosure of vuls and issues to the vendors, there is on the deep and dark web, a vibrant exploit trade? The bug bounty programs such as Hackerone might be helping, but bad actors do have deep pockets?