I've done both. I've been an incident responder and have experience with penetration testing and red teaming. I think that, while reductive, this is somewhat true, but not necessarily as negative as the the article reads. Defense is made up of many things. For instance, developing effective controls to reduce the risk and impact of a security event, identifying attacks and compromise, and responding to the events. Lists of standards and responses work well. Defense also includes architectural decisions which require thinking about the graph of the network to develop these controls. There are lots of disciplines in defense too: architecture/engineering, risk management, incident response, application security, education, threat intelligence, and so on.
Also interesting that the author implies the problem is about thinking of defense in lists then provides a list of items to consider to improve defense.
Also interesting that the author implies the problem is about thinking of defense in lists then provides a list of items to consider to improve defense.