@freddy IME a consultants (incl pentesters) are hired in large part to outsource responsibility. We all know testing can't be perfect, but if there was a test and still there was an exploited bug, you have a scapegoat.
Example: you discover 10 SQLi's, which is a lot. Dev fixes all of them bit doesn't go any further in root cause analysis. When the 11th SQLi gets exploited it will be the pentesters fault that it was not in the report, because a) people think in checkbox lists b) doing proper analysis is expensive c) the consultant is not "one of us" ...