After reading it, its pretty obvious neither of them are big proponents of pen testing. It makes sense on some level, if your not going to do anything with the report, why bother spending the money. The only reason is for it then would be compliance issues. I personally think pen testing does provide some value, but the market is flooded with below average pen testers which waters down the effectiveness of it. Also, I think simply coming in and reviewing and revising IT processes like patching, best practices, and IR policy is more effective then a network pen test in the long run.