It’s a great argument as to why risk assessment does not work well in the information security space. The basic thesis is you can’t assign a probability to a serious attacker. We’ve built a whole risk model on the idea that we can assign a probability to various events – we treat risk in a malicous environment as we would in a "normal" environment. We have a certain risk of machine failure therefore we have a similarly measurable risk on a malicious attacker and of course these two are not equivalent at all.
A great interview to listen to.