Interesting reading around open source vs commercial and the future of web application scanning. From the Watchfire blog there is a good discussion with an interesting post and some good comments.
A near perfect web application security site testing tool is a difficult thing to achieve, I liken it to the elusive antivirus heuristics which occasionally pops up - yet we are still reliant upon signature based methods for Antivirus and Malware detection. At present the online tools here at HackerTarget.com are also based around scanning for known issues with particular configurations or applications / servers. SQLiX does do a crawl of your site looking for obvious SQL injection points and is pretty good at picking up the obvious ones.
For a real test of custom web code, nothing can beat trained and experienced web application testing specialists doing manual tests with a little help from some specific tools.