There's a lot of confusion about the terms and concepts of "vulnerabilities" and "vulnerability assessments", much to the detriment of good security.

1. Vulnerability Assessments
Roger G. Johnston
Right Brain Sekurity
http://rbsekurity.com
The idea behind Vulnerability Assessments (VAs) is that we cannot prevent or test what we
haven’t envisioned.
Vulnerability Assessments (VAs) involve imaginatively thinking like the bad guys to discover
security weaknesses (i.e., “vulnerabilities”), attack scenarios, and potential countermeasures.
VAs are often confused with other security analysis techniques like threat assessments, risk
assessments, security surveys, security audits, DBT, CARVER, pen testing, “red teaming”, etc.
These other techniques may well be worth doing, but they commonly suffer from a number of
problems:
1. They aren’t as good as VAs at finding vulnerabilities, attack scenarios, and countermeasures,
often because they are focused on other things.
2. They are rarely done in an imaginative manner by creative people using critical thinking skills.
3. Unlike VAs, they don’t mimic the thought processes of the bad guys. If we want to predict
what the bad guys may do, we need to think like them!
4. These (often formalistic) methods typically suffer from the Fallacy of Precision and/or claims
of exactness, objectivity, and reproducibility that—upon close examination—are merely sham
rigor.
One of the problems is that the term “vulnerabilities” often gets hijacked so that it becomes
confused in people’s minds with threats, risks, assets that we need to protect, features of our
facility or security program, or attack scenarios. When this happens, it becomes difficult to think
and talk about the problems with our security. Sloppy terminology does have consequences!
https://www.amazon.com/dp/B08C9D73Z9