I been doing alot of pentest lately, and alot of them involved Banks and Mobile Network Providers here in Kenya. What amazed me is that some of the admins knew about scanning system and they thought that was enough. You just lauch Nessus, or Nmap like E and Y guys do, and you write up that the pentest is over, maybe after 3 days. Nooooooo, its doesn't run like that brothers.
After u find the vulnerability, you need to tactically exploit the host, and bypass the IDS signatures, penetrate through to secure networks, crack passwords and even access files that are restricted. How you do it, the duration, every step depends on the ROE and the scope of the pentest as discussed. You may have found some XSS holes and the next day as you get in and get down with your gear, you find that, its just got patched, and the other pages are behind the login page.
One thing you need to stress to the administration is that, the scanners wont see beyond, like an exploitation phase should.