Really kinda eye opening, funny, and embarrassing to some:

The very concept of "penetration testing" is fundamentally flawed. The problem
with it is that the penetration tester has a limited set of targets they're
allowed to attack, while a real attacker can attack anything in order to gain
access to the site/box. So if a site on a shared host is being tested, just
because is "secure" that does NOT in anyway mean that the server is
secure, because could easily be vulnerable to all sorts of simple
attacks. The time constraint is another problem. A professional pentester with
a week or two to spend on a client's network may or may not get into
everything. A real dedicated hacker making the slog who spends a month of
eight hour days WILL get into anything they target. You're lucky if it even
takes him that long, really.