Pretty much. I'm sure there's more than another seven that make between $1M and their figure of $90k.
But, it's still going to be probably no more than a couple % that make most of the money, and the rest of them competing for table scraps. And a lot of them will be putting in a good deal more than 40 hours/week at it.
However, it's probably not a bad way to get some exposure to real-world security problems, if your ambition is to eventually get a salaried position in the industry.