I agree, but think of it this way: imagine a doctor arguing against washing their hands. The analogy is pretty apt. Washing your hands is as effective in reducing disease as pentests are at improving security. So why are we still seeking ways to justify to ourselves that we can do without pentests?
It just seems like pentests need to move from "nice" to "necessary." (Part of that is reducing their cost from $60k to $6k.)
The bigger problem with pentests is not the current cost but, as I see it, is that security is inherently and inescapably expensive somewhere in the chain, and that vendors have been getting a free lunch for too long. The viability of security analyses/pentests will go down if your goal is to reduce the cost by an order of magnitude because the people who are any good will find something better to do--and the consumer will still pay through all the bullshit externalities.
Security needs to cost to demand talent. The real solution to this problem, I think is that failure to secure needs to cost (whether in monetary or criminal terms) or it isn't relevant to business concerns.
> security is inherently and inescapably expensive somewhere in the chain
...is the thing that needs to change. Presumably using more automation (e.g. employing more software like http://lcamtuf.coredump.cx/afl/), such that "pen-testing" shifts from being a labor cost to a capital cost.
Open telnet servers are a solved problem (taking the solution off the rack is a question of time and, effectively, the willingness to be negligent). The automation exists.
It's the hard stuff that is context- and environment-dependent to a degree that it resists automation.
It pen testing necessarily expensive? I wonder if we could train QA to use something like kali (or even just some network tools) to find 99% of vulnerabilities.
It just seems like pentests need to move from "nice" to "necessary." (Part of that is reducing their cost from $60k to $6k.)