Some fun things I have had to deal with during some NVA/PT assessments for customers over the past 3 months.
You begin scanning 5 hosts and the customers switch rolls over, everything stops responding, and the customer calls you asking what you did.
I enjoy customers that leave usernames and passwords for critical systems on a web page with unauthenticated access, and they say that it is not a security vulnerability.
You find access to a customers Github.com site and your boss tells you to not explore the site and only report that you had access to login, since the site was not in scope.
You report a finding that you found last year for the same customer, and it allows you complete access to the server.
You find default access to a website that controls the customers network switches, UPS, and other main pieces of their infrastructure, and the customer says he is not worried about.
You find systems that are missing patches from 2004, and the customer tells you that it is not critical. You tell them to remove it from the network, and they tell you they need it for some other system that is important.
I am sure I will have more to come in the next few months, since my boss is stacking up assessments like they are going out of style, and we are still trying to hire a new pentester.