That means that they work 40 hours a year, for an average salary of 29k$, or around 800$/hr. Not bad al all
I would expect that the rest of the year they keep updated with research and systems, code their tools, search for vulnerabilities, find targets etc.
It's probably comparable to other fields where you spend 80% of your time finding clients and pitching projects to fill the 20% of the time you are actually getting paid.
Of course, at least they don't have to worry about PR, branding, cocktails and such