The main objective of vulnerability analysis is to select the alternative which is the least vulnerable. To make this selection, we must describe the vulnerability of each alternative by a single number -- then we will select the alternative with the smallest value of this vulnerability index. Usually, there are many aspects of vulnerability: vulnerability of a certain asset to a storm, to a terrorist attack, to hackers' attack, etc. For each aspect, we can usually gauge the corresponding vulnerability, the difficulty is how to combine these partial vulnerabilities into a single weighted value. In our previous research, we proposed an empirical idea of selecting the weights proportionally to the number of times the corresponding aspect is mentioned in the corresponding standards and requirements. This idea was shown to lead to reasonable results. In this paper, we provide a possible theoretical explanation for this empirically successful idea.