What is it?
a service, system, or application which contains a vulnerability or multiple. One or more vulnerabilities are then exploited as an attack; they have just used a threat vector.
Why is it mentioned?
organisations must know what their attack surface is so they can dedicate resources accordingly.