A security assessment or penetration test that only focuses on the vulnerabilities and missing patches are too narrow in scope. This is a limited view and doesn't provide you with an overall picture of the risk an organization faces. Organizations need an assessments that looks at not only the vulnerabilities that exist, but what all the various risks are. Having a Windows patch or Adobe Reader up to date is not going to solve your security risks. These are important but too narrow. It is like driving a car that cannot turn left or right, it only gets you so far before the road ends.

Assessments are most likely required in your organization. Spend the money wisely and get one that actually helps create a more secure environment. Not just one that allows a box to be checked off a list.