You can't just hire a security consultant to run a test, then stick on his list of band-aid fixes and be done with it.
And yet that's what many snake-oil consultants offer.
...but a comprehensive practical test is what you complained about in the first place!
they set up a fake wireless access point in an office, and when a lot of people accidentally connect to it, th[e]y sniff some passwords. After that, they show it to the boss and say, "look how insecure you are!" The boss is shocked and they send a bill, even though they've done nearly nothing.
If they're a level up, they might have an automated Metasploit script to throw at servers.
So let me get this straight... a consultant who walks in and says "look how insecure you are!" and raises general awareness of security is a bad thing, per your earlier post. A consultant who offers a list of exploits is only "a level up" from that. Per your last post, you agree that a consultant delivering just a list of patches is bad.
What do you think a good security consultant would deliver, exactly?