The problem with the term "security expert" is that it is stupidly vague. You describe a security expert as somebody who knows how to break software. I think Bruce would describe a security expert as somebody who knows what to do once the software is broken (or, perhaps, somebody who knows how to plan for the eventuality of broken software).
Regardless, I think Bruce is right about the mindset: if you want to be good at security (no matter where you want to live in the continuum), you have to think differently. That is why most software engineers are good at writing code that can be easily broken. We think in terms of building up, not tearing down.
I also think you are right: once you decide where you want to live on that continuum, you have to understand it inside and out.
Regardless, I think Bruce is right about the mindset: if you want to be good at security (no matter where you want to live in the continuum), you have to think differently. That is why most software engineers are good at writing code that can be easily broken. We think in terms of building up, not tearing down.
I also think you are right: once you decide where you want to live on that continuum, you have to understand it inside and out.