One thing I've noticed when the subject of penetration testing is raised is that commonly the goal is seen as being finding a vulnerability in a system and expoliting it. This is seen as a successful penetration test.
But, the question I think really is, why was that vulnerability there in the first place? Say for example that a penetration test finds that a web server has default scripts left on it. The main value of that finding is discovering why that was the case, was it because the default build for the company has that vulnerability, was the server that was tested built manually as a one-off..... The main benefit for the company is in realising where it's procedures or policies need amended to make sure that the vulnerability does not occur again rather than a report which says "yep that server was vulnerable"...
