Return to the real world for a moment. No responsible system administrator would intentionally allow an unknown hacker to breach their network. Penetration testing is a useful tool for testing security, and it is used to attempt to prevent real attacks succeeding.
Monitoring how hackers are attempting to gain access and correcting the potential flaw they are attempting to exploit certainly takes place, but you don't just open the doors for hackers. Casing point, I noticed repeated failed attempts in my server logs from script kiddies attempting to dictionary-attack administrator passwords using a list of common usernames for FTP and SSH. I responded by installing fail2ban, which temporarily bans an IP after a specific number of failed attempts. Ergo I have removed a security issue without having to learn about it the hard way