Information security is a complex field. There's a wide array of skills that go into protecting systems from security threats and mitigating effects of intrusions. Of course, because people like simplicity, only a small subset of the field of security is commonly publicized: That of vulnerability management.
I won't lie: There's definitely a reason why this part of infosec is so popular. The idea of "making sure we don't get hacked" is very interesting and immediately accessible. But it's also worth knowing the whole picture. Here are some alternative fields in security that are essential for making sure your systems are safe.
IAM is the practice of managing the access that individuals in an organization have across different systems. This could be choosing which user accounts have access to an admin control panel on a website, or making sure users don't have local admin access on their workstations unless they really need it.
The practice of IAM all centers around one basic concept: Individuals should not have access they don't need. This gives two distinct benefits: Protection against rogue identities, and mitigation in the case of compromised accounts. If an employee of your organization decides they want to mess with things they really shouldn't be, then a proper IAM setup can prevent that from happening, since they wouldn't have the needed access to do anything outside of what's required for their job role. And even if all your employees are good, upstanding model citizens, if their accounts happen to become compromised by outside actors, the same access controls can make sure that the intruder can't do much damage.
While not directly affecting how secure your systems are, GRC is concerned with your decision making process for deciding what to prioritize in your systems' security. Of course, with limited resources, you can't fully secure everything down to every possible little avenue. But you can put time into figuring out what are the best ways to use what resources you have.
GRC is essentially the question of "Considering what different parts of our systems have security risks, how big those security risks are, and what we are required to do by the government, how do we spend our resources?"
The compliance side of this is fairly straightforward as a concept, but gets messy in the details of an organization's specific setup. The goal at the end of the day is to comply with governmental regulations regarding information security, and be able to readily prove that you are compliant. The reason why it's such a major part of security, though, is that it's hard to be absolutely certain that you're prepared for audits and won't get knocked for violations you didn't think about.
From the risk management side, your goal is to put your resources towards mitigating the most significant risks in your systems. The "significance" of a risk is typically seen as a function of two variables:
The likelihood of negative effects coming from the risk
The magnitude of negative effects coming from the risk
Some also factor in the efficiency of putting resources towards mitigating the risk. So, the ideal risks to prioritize mitigating are the ones that are likely to cause big problems, and that we can fix easily at a low cost. Of course, it's never that simple, because these values are hard to quantify, and they rarely work out that cleanly.
If you're interested in the field of information security and keeping systems safe, but aren't that interested in penetration testing and researching the newest attack vectors, be aware that there are still plenty of different routes you can take to get involved in the field. The entire field of security needs people with the skills to create a safer world of technology.