Yes, and the USG (and DOD) spend vastly more on hardening than on offensive security. By orders of magnitude; note plural. Both in opex and (particularly) capex.
Is the money being spent wisely? Different question. But: nobody really knows how to effectively spend 100MM on hardening (a nice round number I picked at random).
Nothing would make me happier than to be able to take your word for it, but I think your definition of "hardening" might be incredibly broad. DoD funding Ada development, SELinux, rainbow series, cyber grand challenge - hardening. DoD buying firewalls and maintaining Oracle licenses isn't hardening.
No, it isn't - it is basic network administration, and it does nothing to advance the state of the art. That is a bad faith interpretation, especially when considered in the context of offensive development. You're putting license maintenance in the same category as TCSEC, which broadens "hardening" to the point of losing all meaning - hell, throw in the cost of electricity to power the firewalls.
Is the money being spent wisely? Different question. But: nobody really knows how to effectively spend 100MM on hardening (a nice round number I picked at random).