It's a good question and it's one that can go either way depending on the pentesting company. In my first Security Startup I founded, we took most contracts large and small with only standard questioning. We found that while sometimes we made less upfront, the clients that were more in sync with solving a known or suspected problem and were using the pentest as part of moving forward.
There are tons of companies looking for simple check boxes, or affirmations. Tons that don't acknowledge their issues. I can say first hand that I had a project I was involved with that identified a substantial breach at a company under acquisition for an obscene amount of money. Most M&A seem to skip technical diligence beyond code review. Long story short there were actually three separate issues / actors within the network. They even had one authorized access by a competitor that a salesman had naively setup under the guise of a collaboration. They paid for the onsite investigation then realized that it was going to create a PR nightmare based on our findings. It would have been a huge exposure that would counter the obscene amount of marketing they were doing
for the tech acquired. Their response was to not only ignore us (i'm assuming they eventually fixed things) but refuse to pay for the investigation performed and basically said.. we're a billion dollar company what are you going to do, sue us? We got stiffed with probably a quarter mill in work because they were right. Worst part is we called them to let them know originally because we found EXTREMELY sensitive source code and documentations of a crypto nature. Incidentally we saw some 0-days later on that leveraged undocumented functions that were curiously documented in our findings.
So yeah.. you see it all. That's why I love working with startups, make less, but they're appreciative and long term relationships are more worth it for us.
