Its always a bit more complicated when its state based. In a normal corporate environment you might assume your router, computer, software, people, aren't literally out to get you at ever single moment.
No way do corporates all go placing full trust in their hardware, software or people. Admittedly hardware is one of the tricky areas - there's a hell of a lot of "networking gear from Cisco, PCs from Dell, mobiles from Apple, end of" that happens. Software is typically more complex due to the large range of vendors and probably the weakest area of the lot, and it's very organisation dependent so difficult to comment on. People on the other hand, I can't say I've experienced the assumption of trust much - a whole lot of orgs wouldn't get through their annual audit if that approach were taken.
Things get complicated when things get licenced. Google nexus for example will be built by Huawei. Excluding Huawei and ZTE from everything your data may ever touch is going to become more and more difficult.
Is it safe for Americans to buy Huawei-built Nexus phones? | ZDNet
That really depends on what we're talking about here. The scrutiny should match the risk - a device used directly by employees with limited system access, where network connectivity is via a restricted segment, does not need to be equal to those of a greater level of trust. And the security considerations for devices differs greatly between core networking equipment and endpoint devices, where endpoint devices for example require a different approach to device management and may directly influence the trust placed in people.
So its not as simple as what it first may appear. Design out all risks. You can imagine the capability you would need to keep the US government out of your work place or network, imagine a more determined and well funded player than even the US. Can you keep your systems secured if your IT staff are working against you (snowden style or perhaps even more complicated, your suppliers, some of your staff, your developers, etc).
I'm not suggesting to design out all risks, in fact for complex systems it's simply impossible. What I'm suggesting is that designs have security in mind, as sadly they often don't (i.e. get it working, then "how do we make it secure?"). Things will get missed, however exploits are typically achieved via multiple layers and if just some of those layers are improved, well you might slow them down, detect them or even stop them.
The shortage, as ever, isn't usually with fresh grads. Its with highly experienced top of their game type people. In fast growing fields your going to struggle to significantly expand your workforce.
And herein lies the problem. People at the top of their game aren't born, they're developed, and we need to develop them. If you keep recruiting them from elsewhere well then you pay more and you'll never have home grown ones.
As for fast growing fields, well sadly the security implications of IT are nothing new. There's no sudden need to consider it, simply a sudden realisation that we haven't been doing a good enough job of it.