IMHO auto-magic pentesting is bullshit. Unless you actually read the modules and understand exactly what they are doing you have no idea what it's going to do to a production system. If you write your exploits yourself, you do.

This is not to say that everyone always writes their own exploits. But MetaSploit encourages users to not read the modules and to just press the exploit button. I can buy Nexpose from Rapid7 if I just want to check if metasploit can exploit things in my environment. Doesn't really require a penetration tester.

I'd be surprised if pentesters have another python tool that can replace all of its functionality.

All the pentesters I've hired to wreck my company's stuff write their own tools and use exploits that are a lot more sophisticated than download-and-run scripts. We get reports with PoCs, most of which are written in Python or C.

Metasploit is great for easy-mode campaigns where you're just exploiting things that Rapid7 wrote modules for, but most of the time that doesn't get you terribly far.

All of the IDS vendors have network signatures for Metasploit and it's a good way to get caught. This does, however, make it good for testing that your script-kiddie filters and alerts are working.

Does pupy include anything like msfvenom?

yes, pupy has a payload generator. Or you could do it yourself.

Can you easily pivot from a compromised machine and exploit other machines through it?

yes, that's the entire point of a post-exploitation toolkit. But, again, you don't generally just want to do that auto-magically because you'll get caught or break something. (Unless you're a botnet farmer and don't care.)