I'm reminded of a talk by a guy who ran a penetration testing team (I think in Israel?) which was hired by a bank on a highly permissive contract. It led to them trying to physically rob the bank just because they could. (Spoiler: It didn't go well.)

Unfortunately, I don't know many programmers who would take kindly to rubber hose pentesting.