A lot of the time, it's not the code that is vulnerable. I'll be honest in saying that when I used to do 'illegitimate testing' against websites, the code was normally not the issue. You'll find now that people are using frameworks more and more that get rid of the issues such as the owasp top 10 and so on. It also comes down to the issue that if they're using a lot of classes and a large system (PHP), it would take a long time to go through multiple PHP files just for one single function (hence the per hour thing being a bit ridiculous here).
I am checking the code, not doing pentesting, if nobody derped up while writing it and the implementation is correct then there is no reason to pentest it. Automatic pentesting software is only applicable when looking for flaws in a large number of websites seeking one to exploit (or one to secure if you come knocking on the door offering your services), it has absolutely no use when securing a single business.
I don't slack and work fast, 40$ per hour is really nothing when it doesn't take that long to review a whole website.