Article 2d "This Regulation does not apply to the processing of personal data: [...] by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security." exempts data collection by gov't for security purposes.
Article 6.1c "Processing shall be lawful only if and to the extent that at least one of the following applies: [...] c) processing is necessary for compliance with a legal obligation to which the controller is subject;" exempts data collection by private parties if ordered by gov't, e.g. if they require communications operators to track subscriber identities or something else, then GDPR consent requirements don't apply.
So I'd say that it's materially true that "Data collection for security and intelligence purposes by governments is exempt from GDPR rules", as long as governments are doing this data collection according to whatever other laws they have passed and not in violation of them (which sometimes has been the case, though, with executive branch doing what legislative branch has forbidden them).
Member states have argued that intelligence services aren’t covered by EU law (their management is reserved to the member states), but since the basic principle of data protection is embedded in the European Charter of Human Rights, you can argue that EU residents (indeed, everybody) should be protected. It’s just that, unless individual countries write it into their law or a court successfully asserts its jurisdiction, there is nobody to enforce it against the intelligence services.
