I think you would be a bit surprised with both the university programs that teach it security, and also which companies that look to employ them.
IT security can be admins, it can be programmers that focus on exploit vunerbilities, it can be reverse engineers, it can be pentesters, it can be red teams, and it can be people with high ___domain knowledge in a very narrow field related to security. IT security is a very wide field.
IT security programs focuses a bit on everything, but as in my university, they gave the person responsible for the program a fairly free range to focus on what they thought was what the market wanted. Different universities will focus on different aspects.
The organizations that seek such employees are also quite wide. The military, the intelligence agency, large software companies, large companies with internet assets (like banks, but also game studios), government departments like the tax office, and then naturally we got all kind of IT security firms with red teams, pentesters, consultants and so on. A big hire of my class was also a network company developing network finger rules for deep packet inspections, which wanted people skilled with reverse engineering and decompiling (they may or may not have employed people who had experience cracking games).
Not saying IT security cannot be admins, sounds like you are bringing theoretical viewpoint. I already have some years of experience and certifications in the field - so it is hard to surprise me.
I am pointing out that in most places there is separation of duties so you don't give "red teamer" or "pentester" access to any databases when they are in offensive role.
Then most likely administrators (who can have formal education on paper called cybersecurity) who have loads of work so 90% is configuring and keeping all configuration proper will have requirements like background checks and you are not going to hire "mischevious people" for that role.
Security is a broad spectrum but still offensive testing is maybe 1-2% of the work that needs to be done, all those systems need people to configure them. Having good security 90% of work is waking up updating software and keeping configurations of systems documented and in proper state. If some company doesn't have their security posture basics fixed there is no point of doing "red team assessment" or a "pentest" with them, that would be waste of time.
IT security can be admins, it can be programmers that focus on exploit vunerbilities, it can be reverse engineers, it can be pentesters, it can be red teams, and it can be people with high ___domain knowledge in a very narrow field related to security. IT security is a very wide field.
IT security programs focuses a bit on everything, but as in my university, they gave the person responsible for the program a fairly free range to focus on what they thought was what the market wanted. Different universities will focus on different aspects.
The organizations that seek such employees are also quite wide. The military, the intelligence agency, large software companies, large companies with internet assets (like banks, but also game studios), government departments like the tax office, and then naturally we got all kind of IT security firms with red teams, pentesters, consultants and so on. A big hire of my class was also a network company developing network finger rules for deep packet inspections, which wanted people skilled with reverse engineering and decompiling (they may or may not have employed people who had experience cracking games).