It's a completely valid point that usually companies will do a single security review and want it to last for a number of months, often a number of years. Continuous monitoring is the only reasonable way to ensure adequate security of a company's website; if new code is being written, new vulnerabilities are bound to be written too.<p>Prioritizing vulnerabilities by which to conquer first and analyzing which vulnerabilities will hurt you more quickly and hit you or your clients the hardest is also interesting; it's something we (Tinfoil Security) already do, but not something we see enough people think about.