Re: Reform?
As someone who works in the industry, but not for any of the above companies...
Companies like NCC only perform scans within a given scope, so a client will come along and say "we need you to scan www.ourcompany.com" for a budget of £X (ie time limited), so that's what they do, and provide a report saying what was found.
But this is just a scan of the front door, its extremely limited in scope, and the client companies want it limited because it saves them money. Sure you might not find any vulnerabilities on the web server itself, but that's not the only way to attack a company site:
* Third party sites that provide content (ads, analytics or tracking scripts etc)
* The backend hosting environment where the site is (routers, firewalls, hypervisors, nameservers, etc etc etc)
* The workstations used by those who manage the site itself, or the infrastructure it sits on.
* Any interconnected infrastructure - eg are any of those aforementioned devices joined to a domain?
* Malicious employees.
There are so many other ways to hack a site, but doing a thorough assessment of all the interconnected pieces in a highly complex system is very expensive - so noone does it.