[bmcleod]

The level of security knowledge required to do decent penetration testing is a relatively rare skill and therefore often necessitates bringing in a third party which can skew the cost/benefit quite badly.

You're often much better off saying that your site has a certain level of security because it's built in default thing X until it grows a bit.

Generally you'll know already if you're in a market or field where penetration testing is absolutely necessary(finance, health, well known brands etc) and it won't be a question.