It seems to me that the way to deal with offshoring would be to bring back a modern version of outlawery. The US could basically declare: "Until this corporation pays their fines the US will not prosecute or extradite any individual or corporation who hacks them, steals their physical or intellectual property, declares debts to them canceled, or violates contracts with them."
Software engineers don't run these companies, executives do. Even if you have security training, that won't do you much good if leadership doesn't value security. If your company stores highly-sensitive data, you need teams dedicated to security, you need regular audits, and you need your entire company trained to handle phishing attacks.
I would rather that there be greater security training in software development programs/bootcamps.
I’m a software engineer. I know a lot of software engineers. None of us have ever been trained in security.
Any “best practices” are usually picked up in Stack Overflow conversations.