Ethics (testing and mitigation)

Is it ethical for a security testing (VA, Pen-test, etc) shop to provide
mitigation services? If so, under what context? How to guard against the
tendency to try to sell a customer the solutions that profit you the
most instead of those that the customer needs the most? Should services
be sold as a single blanket package or priced in such a way as to
minimize this effect? How does this damage your credibility as an
impartial tester?

You don't have to answer all of this, just looking for discussion along
these lines.
IT Security/Disaster Preparedness Consultant