But I started out by finding software engineers that were interested in security and were willing to learn and turned them into higher-paid security folks.
absolutely this. most solid security people were devs with an interest who were given the opportunity to flip. the problem is employers want to pay below market prices, for someone who already has all of the skills they want. that just doesn't happen: those people command a lot more money. your approach is MUCH more practical (hire or transfer good interested devs internally, and train them up).