Vulnerability-scanning products are generally automated go out and check what known exploits exist in your network, and latest software versions and patches. This will only pick up known exploits, and reports have to be analysed and acted upon. Attackers can exploit these vulnerabilities with an exploit kit.
Penetration testing and vulnerability scanning are only as good as the point in time it was performed, how skilled the testers are, how much integrity they have and what you do with the information. From the moment a vulnerability scan has been performed, things can change. If recommendations are made and they are not acted upon, the exercise is pointless.