Pen testers are not risk assessors
I've had to clean up the mess a pen tester left more than once. They create artificial flags that have nothing to do with the actual valuable data of the corporation, declaring complete success when they get to a resource that is relatively low value (not SOX, not the primary product of the company, not publicly available,...), often engage in dodgy business practices like stepping outside the confines of the test (e.g. engaging in the pen test before they're supposed to start), rarely emulate specific threat actors, often mixing techniques from one threat actor with methods used by other threat actors, completely ignorant of the actual risk profile of the organization, all in an effort to scare people to pay them more money.
In one case, the pen testers required me as a defender to actually not engage in normal defensive actions that were part of my everyday job, like blocking attackers detected through automated reports and systems. Often, pen testers are given these blank check views by requiring the security teams to temporarily disable key defensive systems, at least for the attackers' source IP block.
It's long past time to recognize that a pen test is not a replacement for an actual risk assessment that evaluates all types of risks, adversarial, structural, envrionmental and accidental. Management that I talk to is getting risk fatigue, where they start to see pen testers as chicken little, so the theoretical value of the pen tester, to shock management into paying attention to security, is having the opposite effect, blinding management to a more detailed and strategic view of where the security dollars can be most effectively spent to reduce the overall risk to the company.