What is the worst problem with classic risk analysis?

The key idea here is that risk in classic analyses is often calculated as a product of how often a threat is expected to occur in a year (the annualized rate of occurrence) and the potential impact. The toughest hurdle is estimating that frequency reliably. In information security, data on incident frequencies is often scarce, underreported, or not representative of current conditions because threats evolve quickly, new attack vectors appear, and defenses change over time. If you can’t estimate how often an event will happen in a year, your risk number becomes speculative, and decisions based on it can be misguided. Protections covering multiple resources or resources being protected by multiple protections aren’t the fundamental bottleneck in typical risk calculations; they relate more to defense-in-depth design than to the reliability of risk quantification. And while costs and benefits changing year to year affects financial analyses, the core difficulty in classic risk assessment remains the uncertain frequency of events.