Not to diminish the importance of penetration testing, but I believe this is one area of IT management that is SERIOUSLY OVER-HYPED! We're really talking about patch management process.

Let's also not forget that we're only dealing in the world of "known" flaws. There are numerous quite serious flaws that have been exploited in the past, and likey there will be more in the future, that laid dormant and undetected for years. What's common to all exploits are threat vectors, conditions and the actions that actually cause disruptions. Risk is the product of a flaw plus a threat action. Pen-testing only identifies known conditions per the vendor's signatures that exist at the time of the scan. It can't identify compromise that already occured. It can't identify device miss-configurations. It can't identify abuse and misuse. It can't identify subterfuge being perpetrated by the users of pen-testing software who may want to obfuscate their scam. Pen-testing is an important aspect to good managment processes but I hardly think it deserves an entire year discussion focus....unless you're selling pen-testing services. :-)

Administrators and company principals would be better off understanding how their IT resources are contributing to their bottom line (WAN utilization, communications security, data leakage, employee productivity, legal liability and so forth) versus one aspect to maintaining their software and equipment. Pen-testing is like regularly checking your tire pressure. How you drive your car and where is a tad more important in determining the outcome.