A small observation: While searching for news on firmware, I have a variety of job searches, using various keywords, mostly scoped (due to tool limitations) to US-based jobs. I notice that most jobs related to firmware security are based around D.C. and require security clearance.
What concerns me is it seems the ratio is growing towards attackers, fewer related jobs by either device vendors or enterprises.
Granted vendors are hiring up all the firmware security researchers. But only a much smaller ratio of these kinds of jobs than for attacker jobs.
One good sign I have seen is a small rise in firmware security skills by enterprise sysadmins. Only a small number, but more than previously.
I wish some data scientist would do a study in attack/defense job ratios, without all the biases involved in my observations…