Is DREAD really dead?

A couple of years ago I stated that I wasn't a fan of DREAD when threat modeling. I prefer the standard information security risk formula of "risk = Probability(chance) * Damage Potential (damage)" I was pleased to hear from a Microsoft security dude that "DREAD WAS DEAD" back then, and I haven't looked back.

Tonight I found a VERY interesting post by David LeBlanc on DREAD and how to use it with escalation to calculate the severity of vulnerabilities. I highly recommend you check his post out.

It is interesting to note that he mentions this is NOT how Microsoft is doing it, especially in MSRC. Yet DREAD is still being explored in this light. Not sure what to make of it. The breakdown into the 9 buckets surprises me, but in a good way. There is some reflective thought in his categorization, and would be a welcomed advancement in prioritization for patch releases... IF Microsoft could keep a semi-regular SP cycle. And if we could access slipstream media more readily. Just where is XP SP3 and Vista SP1 anyways? (Check out Alan's post on some leakage on the topic)