I asked myself this same question when my work was focussed on attack research, and the result was that I stopped working on it, finding some clever new attack is great, but no one really cares after it is patched. So I focussed on building tools as well, automated reverse engineering and static analysis tools. Tools are getting better, but even then it's not clear that any of the current tooling approaches will have significant lasting pay offs.
For all the talk of security being a rapidly changing field, it's only true in the same sense that JavaScript frameworks are rapidly changing, lots of churn but not so much progress.
"So I focussed on building tools as well, automated reverse engineering and static analysis tools."
Smart pivot. I mentioned that in my own comment. The tool building, if done right, can give you knowledge or code that can be reapplied to all kinds of use cases. Especially in static analysis since there's a few techniques and constructions that keep showing up in tools whether it's system, web, whatever. If you ever went for formal verification, the stuff you came up with might again be reusable on new problems.
Much higher payoff on tool building than just hunting and patching vulnerabilities.
What do you mean "no one really cares after it is patched"?
At that point, you get a chance to find a new attack. People really care. The government adds a new task order to your contract and then you get working on the problem.
No-one really cares about what you have come up with before except as proof of your abilities.
You can't keep building on top of your work as you can in other parts of CS. Personally, this lead to a desire to keep bugs private since then at least you could privately chain things together in interesting ways.
It can be a very lucrative career, and it can be a lot of fun if you enjoy turning puzzles over in your mind (though this really applies more to tricky exploit dev), but I did not find it satisfying in the long term.
For all the talk of security being a rapidly changing field, it's only true in the same sense that JavaScript frameworks are rapidly changing, lots of churn but not so much progress.