Paul Asadoorian has summed it up quite nicely in EP 373 of the Security Weekly Podcast. 

A good pentest not only answers the question “can my controls be breached?” but also the following questions:

• How can I be breached?
• How much damage to my business can a breach do?
• Where am I most likely to be breached given my current defenses?
• What can an attacker do once he has breached one system?
• Do I have capabilities to detect a breach? 
• How long will it take me to detect the breach?
• How well will people in my organization react to a breach or someone trying to breach one of my systems?

I just wanted to take down those questions for you and me, because they might come in handy when arguing once again over what a good or bad pentest is.