> I'd argue work on meaningful security improvements is mostly available outside industry security roles.

I drift in and out of security roles and definitely agree. If a company truly wants secure products the proper way is to do that from the ground up as the product is designed, architected and developed. The optimal role for building secure products is to have security awareness and priority embedded in the design and engineering team. Not as an afterthought from a security team.

Alas! Most companies don't care that much, so if you want to drive the product to be more secure, it can sometimes be more effective to do it from the security organization. If the company culture is to ignore security, you can drive more improvement from infosec because then that's your job. But it's not the optimal way to get there.