A threat and a vulnerability are no

A threat and a vulnerability are not one and the same. A threat is a person or event that has the potential for impacting a valuable resource in a negative manner. A vulnerability is that quality of a resource or its environment that allows the threat to be realized.
In system and network security, the threats remain present but are mitigated through the proper use of security features and procedures. Mitigation is any effort to prevent the threat from having a negative impact, or to limit the damage where total prevention is not possible, or to improve the speed or effectiveness of the recovery effort.
Hardware and software systems and the data they process can be vulnerable to a wide variety of threats. The selection of security features and procedures must be based not only on general security objectives but also on the specific vulnerabilities of the system in question in light of the threats to which the system is exposed. It is possible to over-protect, which only wastes resources and inconveniences users.
The final category, Technical concerns, includes insidious system-specific situations such as improper system operation, malicious software and line tapping. The actual threats are few: untrained and nefarious users and system calamities. It is far more useful to explore the many avenues (vulnerabilities) open to these users and events, and to consider ways to prevent these occurrences and/or provide for rapid recovery.