I would argue you’re almost right, the two considerations are intent (if you say something is true and it is not true, that is a vulnerability) and real world use (if the site accepts usernames and passwords, and is unencrypted, and there is some impact to a breach or credential theft, there is a vulnerability).
