1. Do you find there is any truth in the truism that many institutions decline to conduct penetration tests by third parties because most of them know those tests will show vulnerabilities they'd rather not acknowledge?
2. How do you cope with the vulgar jokes?
"Il y a peu de choses qui me soient impossibles..."
I believe that there is a head in the sand mentality sometimes when it comes to information security. Having said that, there can be legitimate reasons for it. If an organization is notified about vulnerabilities that it can't do anything about fixing, they may be liable legally later on if it turns out there are damages resulting from that vulnerability and it comes out (as it will) that they knew and did nothing. I have at times run across organizations who will submit to testing but are very constrained about the parameters of the testing. Desktops are usually off limits as are things like voice networks -- these are two places where they are most likely the most vulnerable.
Since I am prone to making vulgar jokes myself, I'm not sure what you are talking about with your second question.
My first bit of advice is that if you are going to be a mime, you shouldn't talk. Even the tiny ad is nodding:
Free, earth friendly heat - from the CodeRanch trailboss