Roger Cummings, director of the UK's National Infrastructure Security Co-ordination Centre made interesting comments reported by News.com:
"Cummings said the most significant element in the malicious marketplace is foreign states, whose target is information. Next are criminals who are trying to compromise the CNI in order to sell information. Hackers motivated by kudos or money have 'a variable capability' when it comes to attacks... However, these pose a more serious threat than terrorists, who currently have a low capability."
The article continues:
"NISCC is working with its equivalents in the countries concerned to try to shut the attacks down, Cummings said. The agency cannot name the countries concerned as this may 'ruin diplomatic efforts to halt the attacks,' he added."
Imagine that -- he didn't say "holes in Internet Explorer," or "Windows RPC services." The director named parties with the capability and intentions to exploit vulnerabilities in assets.
A visit to the NISCC site shows separate threats and vulnerabilities pages. The threats page begins with these words:
"NISCC's key role is to minimise the risk of electronic attack to the CNI. This involves assessing 'threats' from a variety of sources including criminals, foreign intelligence services, terrorists or virus writers."
The vulnerabilities page begins with these words:
"NISCC undertakes research into computer vulnerabilities or 'weaknesses' and augments this with extensive intelligence to determine the extent of threats to the Critical National Infrastructure from hostile and malevolent elements.
Working with a number of partners, NISCC has had considerable success in identifying problems, and getting vendors to provide software 'patches', through a policy of 'responsible disclosure'."
So, here is another organization that understands the difference between threats and vulnerabilities.