If you look at it from a safety perspective the majority of security incidents aren't breaches.  So in order of severity you have a serious breach, major incident (which could of course be availability related), incident, minor incident (such as, single desktop missing upto date AV) and then the near misses from which you can learn a lot.  And finally you have the security weaknesses and poor practices which need addressing, which you'd prefer everyone report do you're aware they exist.