Yes, but with the problem that the pentester had been hired by our client and our client was a multibillion budget quasi-governmental organisation (transit authority) that was not inclined to listen because that'd involve mid-level managers sticking their necks out when they didn't need to and didn't know who was right.

So we did the British thing and went for a lot of passive-aggressive "oh, but how come it's ok for the CIA and your own website?" etc. to force them on the defensive and demonstrate that a lot of what they did was basically ticking pointless boxes.

We did manage to carve out some willingness in the client organisation to ignore bits and pieces as we clearly increased our credibility relative to the pen testers, but it was a massive pain.