It's funny and I get what he/she is trying to say, but it's not that clever because there's no definition of what a security vulnerability is.

Pond is a great example of doing this well: https://pond.imperialviolet.org/threat.html

"if an entity can do something that is not listed here then that should count as a break of Pond"