The answer is very simple. A vulnerabilty scanner is unable to identify logical flaws within the application that cause security risks.

Further to that a most app scanners have problems in spidering a site correctly and maintaining correct state. They also have great problems with forms that have to be completed in a sequence, ie form 1, then form 2, then form 3.

But in there plus side, they are very good at static checks, ie looking for default files, and searching for backups of used files.

So in reality for app security test you need both, because if you were do all the checks manully, as a consultant you wont get any work because your quotes would be too big.

SittingDuck