[Cyph0n]

Computer science in general is conference-oriented, and even more so in security. It makes sense, simply because by the time you get published in a journal, the state-of-the-art would have likely already moved forward. So it follows that the state-of-the-art work is centered around conferences. In CS at least, journal articles are used to meet the "requirements" for faculty positions and/or promotions (e.g., 5 journal papers).

On the other hand, in EE, journals are more prestigious in general, partly due to the slower-moving nature of the field. A 9-12 month wait to get your article into a journal is not a huge deal. Further, a journal article typically shows more "complete" work than a conference article would, because it usually takes much more time to fully validate your work (relative to CS, for example).

For instance, if you're presenting a novel low-power circuit, you could get away with a simulation and/or a hastily taped-out version for the conference paper (ISSCC is the top conference for this). But publishing your results in a high impact journal like JSSC will require that you have a fully tested version, etc.