IMO the reason why vulnerabilities matter is because you dont want to allow additional area of attack _if an attacker breaches a layer_ . This is similar to defense in depth. We dont just want a shell of security, but also additional challenges for when each layer is breached.
I'm really not talking about defense in depth. There are vulnerabilities that are not relevant to any layer of defense, such as the hypothetical grep vulnerability I talked about earlier.
Taking a risk-based approach doesn't get you to skip out on thinking about any category of vulnerabilities, at any layer of defense.
