Our application security tests usually take between 10-30 days. The effort depends on the size and complexity of each application. Though some small applications can be tested in 5 days, most apps take 10 days or longer.
At times, clients ask us why we can't just do it in 2-3 days with the help of a scanner.
Running a scanner is only a small part of the penetration test. A scanner is useful for finding SQL Injection and Cross Site Scripting vulnerabilities.
And those are not the most important attacks on your application.
The attacks you are most worried about are those that affect your business directly. In an online banking app, can an adversary siphon off funds? In an insurance application, can an adversary modify the terms of a user's policy? In a healthcare application, can an adversary change the prescription for a patient?
Scanners, naturally, do not understand the business context. They run generic test cases for popular attacks. They do a decent job of that, but they don't exercise your business logic.
The penetration tester dons the hat of the adversary. He studies the application and thinks through what the adversary wants to achieve. He constructs security test cases to beat the business logic - to siphon off funds, to modify the terms of a policy, to change the prescription. This requires understanding the application, constructing a threat profile, designing a test plan and then executing the test cases.
For most applications, that will take between 10-30 person days, with many of the efficiency improvements we have brought to our testing processes. A 3-day test would be a lot less thorough.