Like the"hiring geeks" post by ax0n said, we automate. Automation is a good thing but when it comes to pentesting I really think there can be too much automation. Too much automation leads to "fire and forget" activities and lack of TLC.
For example there are a couple scripts out there that try to automate your whole scan, enumerate, and exploit process and all the pentest frameworks have some sort of autohack feature and they all suck (as much as it pains me to say that --especially because I am such a msf fanboy).
There is a certain amount of diligence I think that should be applied come actual "exploit" time. Scripts that automate or allow a "tester"(?) to script too much of the pentest while handy can cause real damage on a network, not to mention MISS things, possibly IMPORTANT things.
I've heard that some people will spend a ton of time writing a tool that will run everything from nmap and a bunch of different exes, some that do automated exploitation like adding rogue user accounts if it finds null passwords or something, or whatever random exe's that can find on the net. run that script and go for lunch.
The problems arises that:
1. That much output really saves you no time if you go back and actually go through and validate the results.
2. Seems like no one knows how to enumerate and certainly no one teaches it. Automating all the steps between scan and exploit don't help the lack of enumeration either.
2. There is no "test" you just ran a bunch of tools, the script did all the "work."
3. There is no personal experience or tester analysis if you just run a script. There is no thinking outside the box or expertise involved if you hit the autohack button or ./autohack.rb
4. What about stealth? what about tactics? what about proper footprinting? what about emulating anything besides a script kiddie attacker?
5. Where is the fun and challenge in having the script do all the work for you?
6. Every pentest is (at least should be) a battle of minds against the tester and the people admining and securing the network. If you've got any kind of decent admin the easy low hanging fruit should be patched up but that doesn't mean there still aren't vulnerabilities to be found and exploited by an experienced tester. Its all about finding the one thing that guy missed and then digging in from there.
7. There's no TLC with autohack, for the amount of cash you paid for a "real" pentest, there should be some love and work from your tester, that nessus report just aint cutting it.
Moral of the story, show some TLC, get good (better) at your craft and don't rely on the latest autohack script to do things for you.