Web application security is interesting to test, in particular because, unlike most network and operating system testing, most web applications are custom-built. Even when they’re not custom-built, there’s enough diversity out there that simply looking for known problems isn’t good enough. You need to review the application itself.
At one of my previous employers, we had a good system for reviewing all web applications with a couple of commercial scanner tools; applications could not be deployed into production until the results of those scans were acceptable. Application scanners do not, of course, catch everything — there are always esoteric conditions that are easily missed in automated tests. Manual testing has an important place in assessments. Automated testing, though, does have a number of advantages.
One is scalability: manually testing a large number of applications can grow unwieldy and break your budget or workload. Another is thoroughness, as a good scanner can make sure that every part of the application receives attention and isn’t inadvertently missed. The trick is to combine the two effectively for a high-quality review.