The other huge point is it's easy to get some regular Red Team penetration testing, it's quite another thing to get what the Red Team found in their analysis mitigated properly in a timely fashion.
I have several friends who are on Red Teams working for pretty visible info sec companies. The one thing they always harp on is going back to test a companies network or physical infrastructure and finding most, if not all of the necessary fixes have not been corrected from their last visit.
You're right, big companies do have regular testing, but you'd be surprised how slowly those holes and issues actually get fixed.
I have several friends who are on Red Teams working for pretty visible info sec companies. The one thing they always harp on is going back to test a companies network or physical infrastructure and finding most, if not all of the necessary fixes have not been corrected from their last visit.
You're right, big companies do have regular testing, but you'd be surprised how slowly those holes and issues actually get fixed.