From being both in IT and Auditing I can tell you that it is harder to defend than to attack. There are similiarities to both areas:

1. Both areas have tools that can automate that process of securing or breaching
2. Both areas require at a minimum, some time and effort to learn and experience the better or best ways to practice their craft; however, to fully master defense or attack, one needs to commit oneself, like any craft, to it every day - I was in IT for quite awhile and when I flipped to auditing, I found I was a novice in a different arena of thought.

Having stated the above, it just feels to me that defense takes more work - why because as previously stated throughout this thread, defense it more a guessing game, the attack can be better planned. With defense, one needs to plan for every contigency that can be imagined.

Also because some feathers seemed ruffled in this great thread, I thought I would share a fairy tale - don't worry it has been deemed "The Worlds Shortest Fairy Tale!" Please God, don't let my wife see this - if she does - honey I love you and this is just a joke! :

Once upon a time a guy asked a girl, "Will you marry me?"
She said, "No !"
And the guy lived happily ever after.
THE END