Perimeters are indeed tighter than they were in the past. However, if SE is part of your scope you're likely to get in.

Last place I worked we had one done and our perimeter was really tight.  Only thing open was Citrix portal.  But like most environments, it was hard candy shell on the outside, but soft squishy filling on the inside.  The test, unfortunately, did not include SE since the ISO and CIO did not want to put employees through such attempts (way to check to see if your Sec Awareness training is working :p ).  In any case, there are always ways in, but sometimes you need to get in to expose them.  Many of the current breaches have occurred due to a phishing email getting through the perimeter and some poorly trained individual clicked the link or opened the attachment.  Many large orgs are most likely not fully patched when it comes to Adobe Reader, so that vector typically works well.

Based on systems I've seen, a little of both.  I have yet to see a full implementation of app whitelisting and I've been in some places that use a completely flat network topology even though they have the ability to properly segment.  The reasons I have seen for both these factors have been typically due to impatience and lack of training.

So ok we have this nifty layer 3 core switch with all these lesser switches.  Cool lets set up VLANs so we can better secure our servers... 6 months later the ACLs have been all but removed because there are too many problems with traffic being blocked and rather figure out how to resolve, someone in upper management makes them turn off the rule that is blocking it.

We install a nifty enterprise level client side security suite.  We run all the pieces (firewall, heuristics and regular AV).  We figure cool lets use Application and device controls!  Rather than follow the vendor provided whitepapers and set the system to logging only on your test group, you decide to just add MS Office apps but then nothing else is working...  Rather than figure it out, you turn it off and only use blacklisting.

One more on Apps, patching...  Well we use WSUS so all our problems are solved!! 
"Ok so what about Java and Adobe patches?"
....
We don't patch those.
"How bout MS Office?"
Well WSUS does that right?
"No your WSUS is configured with default settings, you are only downloading Windows OS patches, you don't have Office checked off."

So with all that, your apps are not properly patched, your network is no longer segmented and your client-side endpoint protection is about as good as free AVG.  I won't even get started on the unused IDS/IPS appliance

Most companies who don't invest in talented individuals to run their networks tend to have all the shiny tools but none of them are configured properly or at all.  Back in the day, you would have to try very hard to crack the shell, but now you just need to compromise the human piece and then make your way back out of the shell.  Our traditional methods of detection no longer work unless you utilize the added pieces and start whitelisting the network.  Do not allow the unknown to run!

Or I am completely full of crap but that is for others to decide. 

A big key is, if you use existing tools (to save time,) you need to be familiar enough with them to understand 'proper' usage in a pentest (such as running scanning tools in a way which avoids, or at least minimizes, detection of your activities.)  And that familiarity comes with lots of lab time / practice with each tool, etc.