To many security firms, a web application vulnerability assessment is a list of confirmed exploitable findings in a web application. They index the site, run scans, manually test, so research, and write them all down. The report will get you through a PCI audit.
That's not enough. You must tell the developer how to fix the problem, and "apply patches" isn't enough. If you find cross-site request forgery, and can't explain the developer how to fix the problem on their platform, you aren't doing enough. "Add a token" isn't enough. "Apply fix as appropriate for your language" isn't enough. If you don't know, that's fine, but learn.
We are, as an industry, doing a tremendous disservice to companies by selling them 68 pages of non actionable fluff for $10,000. If you, as a tester, aren't sure how to fix it, look it up, ask someone, or work directly with the developer to find a solution.