Is Certified Security Harder Than The Professional Exams – or is it better to complete the professional ones before?
Difficulty is a bit subjective, and there is difficult material covered in each exam. I thought the Security Specialty exam was easier than the professional exams. I recommend you take the Security Specialty exam first.
Take a look at the difficulty for the "Exam Readiness" courses in the AWS Learning Paths. Security Specialty is labeled "intermediate", whereas both DevOps and Architect Professional are "advanced".
When it comes to different levels of the certification exams (Practitioner, Associate, Specialty, and Professional), the question is about breadth and depth.
When you start at the Practitioner level, you cover a wide range of topics, but not much beyond the surface understanding. The Associate courses also tend to be rather broad, but definitely go deeper and ensure you have a fundamental ability to use many of the services. A Practitioner might be expected to know "IAM policies control access to AWS Resources", but an Associate would have to be able to write and interpret IAM policies.
The Professional level exams stay very wide but go even deeper. Specialty exams narrow down a lot to very specific topics, but they go very deep on those topics. The Solutions Architect – Professional might expect you to know more about KMS than the Associate courses, but not as much as the Security – Specialty, which expects you to have a deep understanding of how KMS works, it’s implementations, and how to manage it effectively.
So it comes down to what works best for you, and how you’d rather study. Both tiers are very difficult, but the nature of the knowledge varies.