Sorry for being unclear. What I meant was that if, for example, you compare 2 web sites: Site A contains 1 million credit card numbers while Site B displays so publicly available stuff. If I was an attacker, I wouldn't spend 1 month full time trying to break into Site B. However, Site A may be worth 3 months of work to get in.
So, for web applications like Site A, I would spend a lot more time looking at the little things, making sure everything is air tight. Clients usually don't want to invest a lot of $$$ for the security of a non-critical web site. So I don't go crazy and spend countless hours looking at very little things or unlikely attacks.
Please, don't misread what I have just said. I wouldn't do half a pentest. But some attacks are easy to spot but very complex to implement. I guess it all comes down to Risk = Asset Value x Threat x Impact. When the Asset Value is very low, the risk goes down and mitigation strategies go accordingly.
Was it clearer? Sorry, I learned English at 17...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP