Honestly, I have never-ever-ever seen people more confused than this about what are threats and what are vulnerabilities.
Just an idea: Richard Bejtlich should start a doghouse on his blog, kinda like what Bruce Schneier has for crappy crypto on people who mix up the definitions of threats, assets and vulnerabilities. Examples:
" Here are some relatively common security threats to help you get started in creating your company's threat list:
Computer and network passwords.
The article is also full of hilarious blurbs such as this "Most threats repeat themselves, so by cataloging your company's past experiences and including the relevant threats on your threat list you'll get a more complete picture of your company's vulnerabilities."
Stuff like this makes people not take the security profession seriously...