I’ve seen pen tests as high as 50k USD to 5k USD.
There is a lot of smoke and mirrors in this market and a lot of dishonest providers. Even within PCI compliance checks, A situation came up where a company that deals in really private data had a web app that was woefully insecure, I ran a PCI check, it failed on so many points, turns out the developer who built the app, every time the bank scanned the app, he would phone the bank and argue with them that their test was wrong until they gave him a passing grade.
Security is really not difficult. I’d argue unless you are running external services (Why are you) or have money to burn, then get pen tests.