Security in the Enterprise is such a big issue that bad security in place could literally bankrupt a company. This is nothing new but in my years as technologist I have seen how superficial the Penetration Tester duties are taken.
To be a good Pen Tester you need to be a savvy engineer in the particular technology you are trying to exploit, then you must have passion for breaking bits, finally you must be on top of latest news, sniffing in IRC channels and networking with other ethical and why not if possible real hackers.
Let us take the example of a buffer overflow attack. You will most likely have to be a C/Assembly programmer. Then it comes ARP poisoning and you need to be a networking engineer, we talk about CSRF or XSS and then being a web developer is a must, sql injection: DBA, virus: helpdesk and the list is too big to continue.
You will be able to mitigate the risk using some tools, following best practices and what not but for sure if you are serious about security you know you must provide a deep analysis of your infrastructure and architecture implementation, deploy agents for monitoring, do Penetration testing and a lot more. The tests will need to go through all layers of your application stack, network infrastructure, even through real people working as employees (to prevent social hacking). Then you will review your Penetration Testing Plan at least once a year. Security is not a second class citizen, it is as important as your Disaster Recovery strategy: Did you test absolutely all your backups?
This explains why so many companies are nowadays offerring these services. It is a hot market and will continue to be in the near future.
The Security Budget will be consumed either defending or facing the results of malicious attacks.
I believe Security as a Service (SECaaS) might be the answer for some companies with restricted budgets and I can see some companies offerring cloud services today moving into the SECaaS in the near future.