I do not profess to be an expert about information security, but I certainly agree with the analogies you draw. There are many obstacles to overcome when seeking to create a measure of the extent to which systems are flawed, or prone to risk, failure or exploitation. We know intuitively that life is not perfect. However, measuring the degree of imperfection is another matter, even when dealing with systems whose other aspects can be perfectly quantified. The problem stems from our lack of a perfect, and generic, model to use as a basis for comparison. Attempts to create such a model often succumb to the temptation to substitute pseudo-science for an approach founded on real empirical results. Of course, obtaining empirical data from many sources is problematic because the subject matter is imperfection.