Not everything is useless. Code auditing is not necessarily useless; looking at the physical security of smart cards is not necessarily useless (but it looks like they could use some tougher certifications); pentesting/social engineering can have its uses.
Everyone I've met who's been working in the "IT Security Industry" have been exceptionally coy about what they test for and how. After a few drinks I've managed to get out that they're testing for "XSS, and SQL injection, you know things like that".
It stinks of proprietary crap and I wonder what it would look like if they took a more OSS approach? When you can't even talk about XSS testing without a bit of prodding as if it's something exceptional it really makes me wonder what on earth these guys are selling.
I've never done anything with them, but e.g. http://www.rootlabs.com/engineer-job.html sounded a lot more interesting than what you describe. On the open-source front, you find stuff like Metasploit, nmap, Snort, previously Nessus (forked as OpenVAS), web stuff like Nikto, etc.
Don't forget that lots of "programmers" are barely-skilled and working on VBA macros - one label can cover a wide range of skill.
I've met some guys who were pretty fit in encryption topics / key management etc on whole corporations. And it actually works, so you rarely hear about that. Quite some skills are needed to master that actually.
