Let's face it, security comes after business. And why shouldn't it be for most of the commerce systems? A security decision against business is hardly accepted. An operation team member may left open a known service port on an Internet facing service with default or easy to guess username/password for just "in order service to be up and running". The security team should continually scan the services for these type of "innocent vulnerabilities" and gets them fixed.
Another reality is that information security specialists are in general outnumbered even by the physical security personnel let alone operational and business oriented employees. That begs the answer to the question of "how will security personnel will overcome the speed of change happen in the IT infrastructure?" Security specialist not only should scan periodically, but also put the results into a perspective. This means analyzing the reports, eliminating the false positives and prioritizing actions. Moreover, running only automated scanners, while has an important value, isn't enough anymore. So security personnel should also run manual analysis on the target systems, especially against the web applications. All these actions require considerable time, and given the number of security oriented employees, might get out of hand quickly.
Continuous security scan services periodically scan a target network, applications and find&report vulnerabilities. Moreover, such a service should not just "scan and find" vulnerabilities, it also has to add manual value to the analysis by eliminating false positives, helping prioritization and utilizing manual audits for hard to find business logic and design vulnerabilities.