I certainly do perform various tests on our application, database and infrastructure security, but I only see that as the first layer. I'm not a security expert, so my coding, my administration and my testing can only find issues to a certain level. That's good as a means for ensuring we're consistently following best practice, and it's an effective first pass. However, for many of our applications - and particularly anything public-facing - we follow up that first pass with something more rigorous from true experts in that field.

As has been said many a time before, security is a matter of layers. In my opinion, so should the testing be.