Competing harder for the limited pool of competent security people might redistribute breaches away from your company onto others. From a local perspective this could be rational but as a society we want to be less vulnerable in aggregate.
(Although there I think the IT operations side is vastly overblown and not nearly enough attention is paid to quality control on the most popular software packages. Want to make every business substantially more secure at once? Take a hard look at Windows Server, Exchange, etc).
I'd say "costs more than the median income" is closer. Adjust for legitimate training costs that are incurred by the workers, and it might be a pretty good definition.
Paying more just means you fill your vacancy at the expense of another firm who has their employee poached. The net effect is that one company is still vulnerable.
They are all in this together? Paying more means you fill your vacancy.
Edit: The cheapskate can follow suit and maybe that convinces one person to undertake the 8-week cert. No more shortage. Or maybe they don't pay more and are DDoS'd out of business. Again, no more shortage.
There are at least one million people in the US who have more than enough experience for an entry-level cybersecurity position; all they need is a few weeks of training (to start) and an employer that isn't demanding twenty years of experience and a CISSP for $50k with crap healthcare and inadequate PTO.
Also, employees are not some company's property. At-will employment goes two ways, and if you want to treat them as if they were property you may as well just turn off the lights now because it will not end well.
(Although there I think the IT operations side is vastly overblown and not nearly enough attention is paid to quality control on the most popular software packages. Want to make every business substantially more secure at once? Take a hard look at Windows Server, Exchange, etc).