In my experience the reverse engineering type jobs tend to involve targeted malware and related forensics or code review of software the client doesn't own but is forced to depend on for some reason or another. And of course there's research but that's not something most security firms generate revenue from directly.
You are absolutely right about the massive waste of resources that holding back info causes. It's way better to give consultants complete control of a working test system with the full build environment. And they might as well just let you do it remotely. But many companies don't do that. Instead they would rather eat your travel and accommodation costs, and then when you show up you're being paid to sit around for a week because they don't even have things ready, so you sit around reading bullshit documentation so you look busy and your contact doesn't look bad. And when you finally do get something you spend lots of billable hours figuring out how to get it up and running, which provides absolutely no value to them and wasted valuable time you could have been finding bugs. But that's just how it goes.
You are absolutely right about the massive waste of resources that holding back info causes. It's way better to give consultants complete control of a working test system with the full build environment. And they might as well just let you do it remotely. But many companies don't do that. Instead they would rather eat your travel and accommodation costs, and then when you show up you're being paid to sit around for a week because they don't even have things ready, so you sit around reading bullshit documentation so you look busy and your contact doesn't look bad. And when you finally do get something you spend lots of billable hours figuring out how to get it up and running, which provides absolutely no value to them and wasted valuable time you could have been finding bugs. But that's just how it goes.