Long, I know where you're coming from. However if you say "X has a vulnerabilty" to a security architect and your "vulnerabilty" doesn't cross a security boundary, it'll be dismissed as incorrect. Avoiding the word vulnerability takes the focus off a strict
technical definition and focuses more on what is or isn't the right behaviour.
AndyC, are process privileges security boundaries?