This is just my personal rant and if you haven't been involved in testing the security of a company I am sure you don't understand. Its just a weird feeling that it all relies on you. They ask you to come in and test their security. Let them know if they are safe or not. I always feel such a weight on me. Am I going to really see every thing? Am I going to catch every hole? If I miss something and 2 weeks later it gets exploited, how do I look? Did me missing one little thing I should have seen just compromised a lot of important data? Did that compromise hurt peoples lives?
I've been doing this a while now too and I think you're being a little melodramatic.
A pentest provides management with information about the condition of risks and internal controls at a given point in time.
Future changes in environmental factors and actions by staff, etc... will impact these risks and internal controls in ways that the pentester cannot anticipate.
Pentests all have a scope. I strongly doubt that every pentest you've been involved in covers the company's entire infrastructure. A company of any reasonable size will define the scope of the pentest and as such their will be substantial limitations to your view into that environment. Are you only testing the internet facing hosts of the company or internal servers too? are DOS attacks fair game? what about user workstations, the users themselves? A pentest is an *attempt*
to simulate an attack by a malicious outsider, employee, etc... Any attacker is going to have no such restrictions.
I have just completed a engagement and the internal assessment portion covered very, very specific hosts/servers. This was supposed to be a subset of devices/hosts representative of all their server environment. Turns out that the manager had told the sysadmins about the pentest and they went and patched/reconfigured those machines. Now if I had not been informed of this my report would have stated that based on my findings they were in good shape. Where does my responsibility lie if they get compromised through another server in that data center that they did not patch and the attacker gains access to one of the servers that I vetted and assessed? In that case we actually expanded the scope to include the entire server subnet. We founds LOTS of ingress points.
We, as pentesters, have limitations to what we can or cannot do in a pentest. Attackers don't.
I understand the need to provide a quality service that you can be proud of but how is the responsibility yours if two weeks later a system in their network gets compromised. Sure, if it's one you assessed and it was compromised through a known exploit that was out at the time then, yes, that's probably your responsibility and you should reevaluate your skillset.
The level of your responsibility is directly related to the scope of the engagement.
I understand the point you are trying to make in that we should take pride in our work and provide the best results possible every time but I think you should be a little clearer on just what that responsibility is, especially considering the number of requests this site sees from people starting out in this or other related fields.