I hire Joe the Up-And-Coming Vulnerability Researcher (or rather, Cory does, since we hired someone to replace me 2 years ago so I could do more product work; see how this works?)
Joe and I work on projects together for 2 months.
I'm the billable resource on those projects. Joe doesn't bill.
I start out working harder (I have to deliver for clients and ramp Joe up). Pretty soon Joe ramps up and we start delivering the same work a lot faster. Eventually, Joe's so demonstrably capable (in our case, he's finding the same number or more security vulnerabilities in code that I am) that he becomes a billable resource, scheduled just like anyone else.
Depending on who you hire, this process can take months, or it can take weeks. If you hire someone with experience in your field, it may not take more than a week or two. If you hire out of University, it might take 2 months. It's almost always worth it.
I actually think Matasano has a harder time doing this than many other companies would. Our clients are extremely discriminating (we're a high-end firm) and we have to be very careful about hiring. We have clients that pick researchers from our firm by name. Staff bios go on every proposal. I can't imagine that this is the case for, say, iPhone development; most consulting companies are paying for an outcome, while security research contracts are paid in part for the process.
"they tag-team with us on projects, often for months, without being billable"