Worth adding: even basic software security engineering services are, compared to other services, spectacularly expensive. In ten years of software security consulting for big companies, I met with very few who didn't get sticker shock from the cost of even a basic web app assessment.
Supply/demand is a motherfucker. The solution is probably going to have to focus on the supply side.
A lot of basic stuff can be automated, but that only goes so far. Security engineering is becoming its own distinct and highly specialized discipline, and the supply is probably always going to be limited.
I think a better answer is for companies to take security more seriously from the beginning. This means being willing to invest in developer training and in-house infosec. The expense of outside expertise should be ample reason to bring that inside.
Supply/demand is a motherfucker. The solution is probably going to have to focus on the supply side.