Protecting stuff is rarely as interesting as breaking it
The trouble with infosec jobs is that, on the whole, they're deadly dull most of the time - procedures, policy and procurement; audit, archive and architecture. They need people who would be as happy in accountancy as IT. However you dress it up, however much you pay, the number of candidates is always going to be limited.
And while you obviously need staff to deal with the human aspects of information security, it's not clear to me why users should be paying security people to put sticking plasters on the broken IT equipment they're buying. If the manufacturers put more emphasis on the more exciting work of demonstrating how hackable their systems are - and then fixing them - then perhaps there would be enough people around to deal with security admin.