TrustWave team pointed out that via insecure network segment, they eventually compromised the highly critical network segment that processes payment card information.
Based on our experience, nowadays small and medium (sometimes, even big) enterprise hire pentest services only for their critical servers whilst they fail to secure all their work station on different network segment portions. Password issues (weak password, blank password of both OS and other servers of database/commercial applications) are always common in some organizations because of the laziness of system admins there even if there is a written policy and rule for setting strong passwords.
According to the case study, TrustWave team would find it harder to attack probably tightened payment card network if they targeted only that portion. We're sure that TrustWave would explain to and negotiate with their client that targeting only secure portion might not portray/represent its actual security state.