In Brian Chess's column in the back of the January/February issue of InFoSecurity Magazine (but not the online version - http://www.infosecurity-us.com), he claims that "2009 will see the death of pen testing as we know, and love, it."  He gives a few good arguments as to why pen testing in on the verge of an evolutionary metamorphosis that will make it “less distinct but more pervasive."  He further predicts that pen testing will "get wrapped into a much lager and far more comprehensive approach to improving security." 

I don't necessarily think this transformation will occur in 2009, but with our new president’s focus on a federal role in IT security and the other preverbal dominos starting to line up, it is inevitable that pen testing as it gets tied closer to business processes will play a pervasive role in a holistic approach to security management.

this sentiment has been arround for a while.  although we all love attacking stuff, it doesn't necessarily prove anything unless there's a more comprehensive approach.

Justin has a great blogpost here explaining why he thinks pen-tests are bullshit.  quite good.

if you also sell source code auditing software you may feel that way too.