Ignoring LLMs, the status quo for defense is that you're pwnable from the silliest of mistakes, and the status quo for offense is that even one lucky shot lets you in. Suppose you brought in 1000x more people to projects on both sides; you'd expect a much higher chance of at least one failure for the defenders and at least one success for the attackers.

LLMs don't have the same dynamics, but the same underlying idea is worth bearing in mind. Above and beyond that, yes, defense is harder for LLMs than offense. They struggle mightily when pulling together too many threads, and some projects are just too big. On the defensive side, exploits are usually very tiny and asymmetrically acceleratable via LLMs.