at the expense of missing wide open doors.
Vulnerabilities are sometimes deliberately disregarded by IT people for ease of business. A good auditor should look for that sort of thing. Instead, so many of them care about nothing but checkboxes and screenshots.
What's the proof that we've remediated a vulnerability? A screenshot. I try to keep my mouth shut because I'm the guy who has to remediate stuff, but every once in a while I lose my patience and rant about how worthless my screenshots are when I send them.
Penetration tests are great too, but sometimes they miss stuff too.