I think that if conducted properly, a pen-test offers great value to a company. I also think that the customer must also react properly to the pen-test in order for it to have great value.
A pen-test should be used to test policies and procedures to make sure they are in effect or need fine tuning. If your company policy states that all routers and swithces on the network should user SSH for management and a few routers are found to have telnet running during a test, that should indicate that there is an issue in the enforcement of your policy or procedure. If you don't have any security policy are procedures, well... you shouldn't be conducting any pen-test at this time.
Let me give a real life example.
I had a customer who thought had a pretty solid patch management process in his organization. This client made sure that none of their windows servers had exploitable vulnerabilites and patched them every week on Sundays. After 2 days of pen-testing I had gain full control over their network, not only did I hack into their AD and cracked all their passwords, but I also had access to all their routers and switches. It is true that the client had all his windows server OS properly patched, but their patch management was flawed. It was flawed because it only encapsulated the Windows OS, not the services running on them. So even if their windows servers were fully patched, I was still able to exploit a vulnerability located in veritas backup agent. I have also accomplished the same results with other services such as dameware and remote admin.
This shows the true value of a pen-test. The customer reacted to the pen-test by modifying their patch management process to ensure that it covered all services on the OS.
Pen-testing should not only be used to patch holes on your network but should also be used to patch policies, procedures and standards within the company.
