During a presentation about the current risk measurement discussions in our field I realized (yeah, not enough to say "epiphany" :-)) the key issue on the current methods is the complete lack of calibration and feedback.

Most organizations don't have any process to collect data and use it to verify their risk measurement results. Maybe the H/M/L stuff could work if an ongoing process to make it reflect the expectations of the business in terms of risk and to tune the likelihood and impact values and bands according to what is observed in reality was in place.

 I've never heard about any organization doing that, I'd really love to see the results if anyone is doing it out there.