There are two additional problems, among others I will not mention here: - I never heard of an important cybersecurity incident having as a root cause a mistake in a Risk Assessment
- I have never found a Risk Assessment that is self correcting, in other words, it is possible to detect if any of its output is wrong