Adam. I fully agree with you and shun any "security testers" who operate within the scope of "let me show you how it could happen" as opposed to "let me show you how it will happen".

Template-based testers also leave organizations vulnerable missing out on the specific risk within the organization vis-a-vie the company's risk appetite. That's why frameworks like Octave-S/Allegro, NIST come into play to offer a holistic risk mitigation approach. Knowledge on what to look out for is also scanty though that's a debate for another day.

Shoot me an email and we could engage further on this.

-ty