After you’ve been testing for a few years, it is generally pretty easy to work out whether a site has been tested before.
Greenfield sites which are on their first test are generally pretty obvious, not just because they tend to have the worst vulnerabilities, but because they have none of the mitigations against the common issues which show up in every test report. Some sites (particularly those using a decent development framework) won’t be too bad, but show me a handcrafted PHP site on its first test and I will show you a sixty page report on it. It is this type of site where you find the kind of vulnerability you get in practice applications designed to train testers – error based SQL Injection, stored XSS with really basic vectors, authorisation flaws where you can change other peoples’ data by navigating from user/8 to user/9, and so on. Getting a test done for this type of customer represents really good value for money, as even a short form review with a spreadsheet list of findings can genuinely protect against real flaws which have a very real and present danger of being exploited.
Then there are applications which have been tested once or twice before, perhaps as part of an overall infrastructure review. They might not have glaring flaws as above, but a decent specialist web tester can often find more subtle problems which have been missed. Often less critical issues such as poor session management will still be present, perhaps because they were not regarded as a priority when the high risk vulnerabilities were being fixed, as will areas such as authorisation which are not handled by frameworks and can be quite difficult to fix.
Finally you can always tell an application which has been tested to bits before. There will be no robots.txt file, the SSL configuration will score an A+ and all the HTTP security headers will be present (in my experience no site that sets X-Frame-Options correctly is ever on its first test). At this point human nature says that no tester wants to hand in a report with no findings, so the tendency is to find more and more trivial issues which are not exploitable in any meaningful way just to fill up the report. This is often seen when tests are carried out for compliance reasons rather than from any expectation of finding anything significant, or from any hope of improving security.
So as an industry, testers need to be trying to encourage organisations which have never been assessed at all to dip a toe in the water and get started, with the understanding that the first quick test is probably going to deliver more bang for its buck in terms of actual vulnerabilities discovered (and hopefully resolved) than anything they will do in the future. This isn’t to say don’t continue to work on your security, just that it is important to start somewhere. The Government should be helping to push companies along this road, and in fact the Cyber Essentials scheme is a step in the right direction.