"programmers who are good at crafting defenses for their own systems know how to penetrate other people’s computers, too"
This is not strictly true. There is a big difference between identifying/exploiting bugs in software and defending a network from attack. Within the context of government spending, this is the difference between funding reverse engineering/binary analysis/buying 0days and funding the training of systems administrators.
at the micro level, it's true that those activities are different, but in the big picture, they are so close, and those people are interacting so much with each other.
There is also the big offense/defense hypocrisy, like buying guns and missiles to protect people (instead of armors and bunkers), and mixing offense and defense to make some behavior more publicly acceptable.
This is not strictly true. There is a big difference between identifying/exploiting bugs in software and defending a network from attack. Within the context of government spending, this is the difference between funding reverse engineering/binary analysis/buying 0days and funding the training of systems administrators.