Budgets, constraints and
The problem in infosec is it's all a game of compromise and risk management, and there are no guarantees.
If you hire someone to do a pentest, how in depth do you want them to go? And more importantly, how in depth are you willing to pay them to go? Most companies only want, or are only willing to pay for your typical blind external pentest which basically says "given 2 days and only the ip of your website we couldnt get in through direct vulnerabilities on that ip"... It doesn't account for indirect attacks, or even just pure random luck etc.
Also just because a pentest was conducted at any level doesn't mean the client actually followed the recommendations.. Quite often security compromises are made because of cost or lack of skills etc. Many networks are also not designed with security in mind, so significant improvements would require a massive (and costly) redesign.
And it sounds like this case talks about an incident response job, but again jobs like that are down to budget and scope... When i've done such jobs often the scope (and budget) has been limited to the systems known to be compromised but that's not really enough as systems are usually interconnected and often managed from the same workstations etc. The outcome of most incident response jobs is usually that "your logging isnt good enough to really know what happened" and "we really should look at other systems but there isnt budget for it".