We have an external company doing security audits on all external facing systems every three months. Sure, it's canned tests with some manual follow up on potential holes, but it's better than nothing, and they've certainly helped us close several holes in security - including SQL injection on some VERY old web sites. New exploits pop up all the time so it's important to do regular testing I think.

A couple time we've also had a consultant "attack" some very important websites, to ensure that no one could get to restricted information.