[sebcat]

> 9 times out of 10 the only reason they'll resort to testing anything is to cross off a corp checkbox somewhere

Can confirm.

The way it usually works is that Company X has N dollars allocated for security. Company X (or rather, a person or a team at Company X, with his/her/their own internal and external priorities and motivations) buys a service - recurring automated tests/assessments/pentests &c. This is where the usual corporate bullsh*t kicks in. If they want to show that they've done a good job in securing something, they buy a pentest over a short duration for a minor thing and then they claim "<trusted security vendor Y> said we were secure". If they want more money, they obtain data to show that. The infosec companies has a "customer is always right" mind-set. It's business.

You can probably get good cash just for telling people to use TLS. Green padlocks and all that.

EDIT: also, to differentiate infosec from regular security, don't forget to prepend "cyber" to everything.