Whenever an attacker identifies a security vulnerability in a software application—for example, a mail server, a web server, a DNS server, an ftp server, a firewall system, or other devices—the goal is usually to gain leveraged access into the target system.
There are many types of security vulnerabilities.
The most common are buffer overflow and stack overflow.
Generally, overflow vulnerabilities causes the software application to do something that it is not meant to.
This will take advantage of the identified security vulnerability and push the software to the limit, breaking it and, in the breaking process, gaining leveraged access to the target system with the same privileges as the given program that is being attacked.
Doing a vulnerability scan is a harmless process that uses many ingenious techniques in order to identify vulnerable applications on a targeted system.
This could be done by relying on version banners from the software, searching for the whereabouts of vulnerable files, identifying old, non-patched software, and many other techniques.
That's the limit of a simple vulnerability scan.
It is important to launch a real exploit against your system in order to determine as realistically as possible how effectively your patches are working.
You'll also get to check whether or not you're running the latest versions and service packs on your system.
A vulnerability scan that only relies on version banners or on the presence of known vulnerable files and/or other techniques is a very smooth process designed to not harm anything in your system and tends to not be overly aggressive at all.
It is therefore highly recommend for you to test all your pre production systems by launching real exploits at them, so when they go online in a production environment.
You are ensured the high security of these systems. However, it is still necessary to test your production systems continuously because new threats occur on a daily basis.
Whitehat Pentesters often prefer to launch real exploits to show evidence that a target system is really vulnerable to an identified vulnerability.