Why A Penetration Test ≠ An Automated Vulnerability Scan