A vulnerability is an inherent weakness in something (a device, system, process, situation, person etc.) that might be exploited by a threat, perhaps causing an impact of some sort.
Vulnerability exists regardless of the presence or absence of controls: the lack of control is a separate matter, a fundamentally different concept although often confused by non-experts and even by some so-called experts.
Take, for instance, the risk of being burgled at home.
The primary threat is the burglars - the criminals who might just pick a given home to burgle. There are other threats too (e.g. untrustworthy visitors and opportunists) but let's leave it at that for now.
The primary impact on the homeowner is the loss of their assets - the valuables that are stolen. Again, there are other impacts (e.g. the traumatic feelings of their personal space being violated, and the implied or actual safety threat). The impacts of burglary differ according to one's perspective. To the home owner or occupier, the financial replacement cost, disruption and emotional toll are all potentially significant impacts. To society, burglary rates can affect the popularity of particular areas, leading to societal and cultural changes. To insurance companies, the impacts of burglary include insurance claims and payouts ... plus increased custom (a positive business impact or opportunity for them).
So what are the vulnerabilities?
Some would claim that the lack of a burglar alarm is a vulnerability ... but, no, strictly speaking that would simply be a missing control, not an inherent weakness.
Inherent weaknesses include the concept of 'home' i.e. a place to live plus property that someone considers exclusively 'theirs'. If it weren't for the very notion of assets and property ownership, we would not feed so hard-done-by if burglars removed 'our' assets, since they would, in effect, own and have the same rights over them as we do. In law, this leads to the crime of conversion, larceny or theft: a criminal can only 'steal' things from me if I 'own' them. They would be depriving me of the rights over the property that lawful property owners can reasonably expect to enjoy. It's a mixture of possession and control, in the sense that, say, a ransomware infection takes possession of the data and controls access to it, without literally removing it.
There are other vulnerabilities to burglary such as:
- The visibility and attractiveness of the place to burglars which, arguably, is greater relative to neighbouring properties if there is no obvious alarm, if the place appears unoccupied, if doors and windows are left open etc.;
- The need to admit various people for legitimate purposes e.g. tradesmen, the emergency services and debt collectors, friends and family;
- Welcome mats, house parties and various other invitations to visit or enter e.g. tenants, guests, 'open house' marketing promotions and parties;
- At a societal level, factors such as widespread and harsh socio-economic hardship increase the threat of burglary in afflicted areas, hence the conditions that caused or led to that situation might be termed vulnerabilities - 'contributory factors', perhaps.
Conceptually, we've come a long way from 'lack of a burglar alarm'!
If you're still not convinced of the difference, can I persuade you to buy my magic crystal? The crystal emits a particular form of energy that burglars find intolerable. They are literally too uncomfortable to approach or enter the property. Without it, you are highly vulnerable. A snip at just $20 per gram (minimum 500 grams, delivery, installation and sales tax extra).