Re:You give banks too much credit (Score 1)

I think you give security audits too little credit. In a security audit or vulnerability assessment, auditors or penetration testers have to work within a scope of work predefined by the project management. In most cases of missed security findings, it's due to insufficient coverage of the scope. There's no free lunch, and no one's going to do extra work for free. Furthermore, a lot of security holes found are rejected by the business owners. What's a consultant to do when a client refuse to accept a finding?