I don't understand this. When I think of security people, I immediately think of articles where they describe how they made a timing attack which caused a race condition, which allowed them to overwrite the stack, and do arbitrary code execution via return-oriented-programming.
I'm reminded that these people exist and can routinely do stuff like this (or even more insane), and even though I've considered myself knowledgeable about this stuff, It makes me feel like the monkey looking at the monolith in 2001.
Their "security advice" consists of parroting back stuff they read on blog posts, LinkedIn, and places alike.
"Change your password every 3 months", "did you enable 2FA?", blah blah blah.
Add clueless managers (as other commenter said) and some nepotism to the mix and that's how they get some contracts with big names (Microsoft, Oracle, ...)
Afterwards it only gets better for them because they can advertise they were "part of the security auditing team at <big company>, reporting directly to the VP"; even though their only real useful task was to keep warm coffee at hand.
This happens continuously until one day someone in a meeting asks them about a hash function and they are absolutely clueless and the show falls down; or it could be much worse and go on until an entire community has to pay for it with life-long consequences (see Flint), or until billions of dollars become lost/stolen (see Madoff, Holmes, your choice of weekly crypto scam), or until planes start falling out from the sky because of a newly-developed "feature" (see Boeing 737 MAX), ... the list goes on forever.
We live in an era of mediocrity disguised as a (fake) meritocracy, with all the consequences it implies.
I'm reminded that these people exist and can routinely do stuff like this (or even more insane), and even though I've considered myself knowledgeable about this stuff, It makes me feel like the monkey looking at the monolith in 2001.
How do these folks become security experts?