The level of security knowledge required to do decent penetration testing is a relatively rare skill and therefore often necessitates bringing in a third party which can skew the cost/benefit quite badly.

You're often much better off saying that your site has a certain level of security because it's built in default thing X until it grows a bit.

Generally you'll know already if you're in a market or field where penetration testing is absolutely necessary(finance, health, well known brands etc) and it won't be a question.

If you just have a sales website its probably not high on your list of priorities no. Same with anything that doesn't collect data (IE presentation only) or an expensive paid for service with a long sales cycle.

In all of the above cases I would consider security while creating, but I wouldn't do a lengthy pen test while trying to get the product out there. Of course that's also dependent on your target audience.

I didn't say it wasn't a priority, or that you should leave yourself open to being totally owned, just that executing a pen test against your new website is probably overkill in some situations.

To put things in perspective, think of the following typical situation: Website relaunch for a small company, total budget is $4000, cheapest quote you got for penetration testing is $300. Good luck selling that as a line item to a client whose email password is "123456".

Thank you for the clarification. From the discussion of deployment, development and marketing teams and the TV promo I thought it was aimed at a different demographic.