Another view...
I had a customer who called in one of these so-called security analysts to check over an app I'd developed for them. One of the big red flags in their report was that my app transmitted passwords in plaintext across an unencrypted internet connection. It doesn't but they refused to back down, saying they had documented proof. Turns out the person doing the testing had a habit of making his usernames and passwords identical.