I am turning the tables and am going to ask all of YOU.
Post your examples of policies, regulations, articles, blogs, - basically anything written, that misuses key security terms like risk, threat, vulnerability, etc.....
This could be fun.
Maybe I'm old (or oldschool), but I don't like when:
Other than that, I generally find that the popular press is unable to understand the difference between a side-channel attack against a specific implementation of a cryptosystem and the cipher itself being "broken," - as in, mathematically proven to not provide the level of security that was thought. No one is "breaking AES in 30 seconds!" -- they're recovering key material by monitoring signals eminated from the implementation during operation and using that to reduce the problem space to recover the rest of the key. That's fundamentally different than showing AES is broken.
I came across one at work the where someone had basically conflated 'reducing' the attack surface with every other concept in cybersecurity by using it as a consumer durable in what was essentially a list of controls, that ended with 'and significantly reduces the attack surface.
Patches, MFA, using Linux, having a procedure, administrative controls... it all got it. Just try making your own controls up:
"We keep a rabid St Bernard in our server room that tries to kill everybody who enters. This makes the webservers less accessible to attackers because their fingers are chomped off and they can no longer easily introduce Disney themed mass produced comedy USB drives... thereby significantly reducing the attack surface."
As you can see, it lends a superior air of authenticity and authority!
I have one to kick it off. How about we start spelling "cybersecurity" properly as defined in both Oxford and Webster dictionaries. Then maybe we can get Microsoft to update their dictionary.