@cerberus This assumption would be correct in my view. The issue here is one of actual scope, plus the extent of the testing itself. The only true way to know how vulnerable assets are is to perform a vulnerability assessment inside your network. Detecting vulnerabilities at the perimeter level is one thing, but if this "wall" was ever breached, and exposed your internal network, then the scope dramatically increases dependant on the security of that internal network.
In reality, no "testing" is fool-proof. Much of this depends on your attitude to risk.