As you know, a penetration test is a simulated attack whereby the testers use all the tools of the hacking trade to attempt to break into your systems. When you roll out a new piece of software or create a new infrastructure system, a penetration test should be conducted on that system, to see if any discovered vulnerabilities can actually be exploited. Unlike vulnerability analysis, which identifies the problems in your system, the penetration test will determine whether those vulnerabilities can actually be exploited. This quantifies the risk to management and allows them to make investment decisions on whether additional money should be spent on further securing the system.
The other benefit of penetration testing over simple vulnerability testing is that it can be conducted from either a black-box or white-box perspective. The difference between these two kinds of testing is based on the amount of prior knowledge the testing team is given by the system owners. With black-box testing, the penetration testing team is given no information (or very little) about the system they have to attempt to hack. This way you are testing whether a bad guy would have the necessary tools and skills to break into your systems. On the other hand, white-box testing is carried out from an internal perspective where the test team gets full access to accounts, documentation and other resources that makes their life easier. White box testing helps you deduce what might be possible should you be attacked by someone who has inside knowledge. Both kinds of penetration testing approaches are useful and both proffer up useful risk assessment metrics for you to evaluate. Most importantly though, you can determine from the penetration testing report which countermeasures would be the most important to implement within your environment.