I also work in security (appsec) and most of my day is spent programming. In my experience in the security space (10 years at the moment) the qualifications are absurdly disconnected from actual job requirements. At my last place when I was involved in hiring decisions we selected mainly on attitude and coding ability. At my currently location this does not seem to have been the case as most on my team literally can't code. I'd take someone who can code over someone who knows tons of security theory any day.
