Pen test reports take 40-80 hours to write but clients rarely read past the executive summary

A standard penetration test engagement produces a 60-120 page report that takes 40-80 hours of senior consultant time to write, yet client surveys show fewer than 15% of stakeholders read beyond the 2-page executive summary. The detailed technical findings that would actually help defenders fix vulnerabilities are buried in appendices that nobody opens. This persists because compliance frameworks (PCI DSS, SOC 2) require a written report as the deliverable, not actual remediation, so the report exists to satisfy auditors rather than inform defenders. The consulting firm's revenue model bills for report writing, not for vulnerability remediation.