I see you are mixing up IT security jobs where you can hire „mischievous people” with IT admins.
I say 90% of security is admin work where one has access to various stuff.
Then you have red teams, pentesters, consultants- that don’t have ever privileged access to anything. They should find flaws and pass recommendations to IT admins. If they hack anything at all - it has to be outlined in scope and strictly monitored. For both sides protection as if „hacking person” doesn’t get blame for something he did not touch by him but at the same time someone pulled off something nasty.
I think you would be a bit surprised with both the university programs that teach it security, and also which companies that look to employ them.
IT security can be admins, it can be programmers that focus on exploit vunerbilities, it can be reverse engineers, it can be pentesters, it can be red teams, and it can be people with high domain knowledge in a very narrow field related to security. IT security is a very wide field.
IT security programs focuses a bit on everything, but as in my university, they gave the person responsible for the program a fairly free range to focus on what they thought was what the market wanted. Different universities will focus on different aspects.
The organizations that seek such employees are also quite wide. The military, the intelligence agency, large software companies, large companies with internet assets (like banks, but also game studios), government departments like the tax office, and then naturally we got all kind of IT security firms with red teams, pentesters, consultants and so on. A big hire of my class was also a network company developing network finger rules for deep packet inspections, which wanted people skilled with reverse engineering and decompiling (they may or may not have employed people who had experience cracking games).
Not saying IT security cannot be admins, sounds like you are bringing theoretical viewpoint. I already have some years of experience and certifications in the field - so it is hard to surprise me.
I am pointing out that in most places there is separation of duties so you don't give "red teamer" or "pentester" access to any databases when they are in offensive role.
Then most likely administrators (who can have formal education on paper called cybersecurity) who have loads of work so 90% is configuring and keeping all configuration proper will have requirements like background checks and you are not going to hire "mischevious people" for that role.
Security is a broad spectrum but still offensive testing is maybe 1-2% of the work that needs to be done, all those systems need people to configure them. Having good security 90% of work is waking up updating software and keeping configurations of systems documented and in proper state. If some company doesn't have their security posture basics fixed there is no point of doing "red team assessment" or a "pentest" with them, that would be waste of time.
I say 90% of security is admin work where one has access to various stuff.
Then you have red teams, pentesters, consultants- that don’t have ever privileged access to anything. They should find flaws and pass recommendations to IT admins. If they hack anything at all - it has to be outlined in scope and strictly monitored. For both sides protection as if „hacking person” doesn’t get blame for something he did not touch by him but at the same time someone pulled off something nasty.