You might consider something like
www.qualys.com for your penetration testing. One product they offer is on demand penetration testing / scanning. The bank has the ability to both schedule periodic scans and run the scans on demand (via the Internet). The pricing is on their web site and the scans are priced by the ip address or by the number of scans. I believe unlimited (i.e. daily, weekly, monthly, etc.) scanning is only $995 for one ip address. There are quantity discounts for multiple ip addresss. You can also purchase, say, a hundred scans in a package. The product scans for most of the known vulnerabilities.
This approach alleviates much of the problem I see with annual or even quarterly testing. New vulnerabilities are being discovered at such a rapid pace that a scan is only good for a day.
Of course the vendors to whom you outsource your IDS and firewall to will be keeping up with the same vulnerabilities, so this would just be an additional layer of security.
This type of penetration testing would not be as robust as a test which includes manual testing (i.e. a live engineer actually tries to break into your system); however, a number companies I have seen don't use any manual testing methods and just use a product like qualys and "resell" it to you by interpreting the results for you...at a significant markup, I might add.
I have no relation to this company other than we are in the process of implementing their product.