An older company I worked for went out of their way to find a pen tester that would basically rubberstamp everything and give them a pass. I actually uncovered major issues with the software during that process, to the point where it was unusable. Major components were severely out of date and open to attack. Other parts didn't even work as advertised. I didn't stick around much longer.

I wish I could recall the name of a pen test company I worked with when I wrote my auth system... They were pretty great and found several serious issues.

At least compared to our internal digital security group would couldn't fathom, "your test is wrong for how this app is configured, that path leads to a different app and default behavior" it's not actually a failure... to a canned test for a php exploit. The app wasn't php, it was an SPA and always delivered the same default page unless in the /auth/* route.

After that my response became, show me an actual exploit with an actual data leak you can show me and I'll update my code instead of your test.