Pentesting : what should one do if nothing is returned from Vulnerability Assessment

A typicall pentesting activity has the following step :

   1 - information gathering + enumeration    2 - vulnerability assessment (vulnerability scanning)    3 - exploitation    4 - post exploitation (persistence, clearing tracks, etc...)    5 - report writing 

Step 1 to 4 can be a cycle after getting a foothold.

But what do you do if you don’t get that foothold. That is, on the iteration, Step 2 (Vulnerability scanning) does not return any vulnerable service nor configuration. If social engineering is not part of the deal, does it mean it’s pretty much game over ?