Usually vulnerability scans don't affect your website. They are usually one or two packets per TCP port, and if spaced out correctly, you won't even notice them.
Some hosting companies just use their own simple script that runs "nmap" against a server and outputs the results to a file. Any changes between the previous scan generates an alarm or email. It is simple and effective as a first line of defense.
Security will extend this to include attempts at known hacks, but the problem there is that you don't want them to try anything that could potentially affect your application.
You don't want to be in a situation where you have to tell your boss "Well, they did this security scan to help protect us against hackers, and, well... they crashed the website." That would be a resume generating event!
Security companies often realize this and will just stop at a basic port scan and tell you what vulnerabilities could be present and how to fix them.
Some people would say "If the price is right, use them, learn as much about what they are doing as you can, and then do it yourself the next time." I would too, but if your business depends on the web, and your customers demand strong security, it may be better to blame the outside security consultants about any breaches. Credit card companies usually demand an impartial third party security audit. Keep that in mind.