Web security is a very broad term. It includes bugs in old protocols, usage of dangerous techniques, trivial human errors made by developers, and more. It is difficult to test products in such a broad area without a plan. The Open Web Application Security Project (OWASP) made the life of pentesters easier by producing the OWASP Testing Guide.
Conventional wisdom holds that the most vulnerable component of any computer system is its user. Humans may be inattentive, unthoughtful, or misinformed and easily become victims of phishing attacks. Accordingly, this weak link must be tested for security as thoroughly as the software and hardware components.