I think this definition needs to be expanded to include a threat source. If you talk with secure software developers they have a practice called threat modeling, which is well defined by some of the big industry vendors. In terms of threat modeling developers consider "SQL Injection" a threat...