This article discusses “Being Vulnerable to the Threat of Confusing Threats with Vulnerabilities* It was published by the LANL Vulnerability Assessment Team.
The author begins the article by stating: The following ideas are common, but I think quite wrong and thus myths:
A Threat without a mitigation is a Vulnerability.
A Threat Assessment (TA) is a Vulnerability Assessment (VA).
Threats are more important to understand than Vulnerabilities.
Many of the most common tools used for “Vulnerability Assessments”
(whether true VAs or actually TAs) are good at finding Vulnerabilities.