Threat is a potential that can cause disruption/loss to an asset.
e.g. A threat can be understood as potential that a bad guy can break a street side window glass to gain access to your facility.
Vulnerability is a weakness which can increase the probability that a threat will cause some disruption/loss to an asset.
e.g. A street side window with a simple 5mm glass with no additional controls (like security guard or steel bars) can be an example of vulnerability as it is easy to break a simple 5mm glass.
Risk is a potential that a threat will take advantage of a vulnerability to cause some disruption/loss to an asset.
e.g. A risk can be understood as potential that a bad guy can attempt to steal something important by coming through a street side glass window.
Vulnerability assessment is a process of identifying vulnerabilities that exist in an asset.
e.g. Vulnerability assessment is process of identification of such entry points that are not adequately protected.
Penetration Testing is a process of exploiting identified vulnerabilities to determine the level of damage they can cause to an asset.
e.g. Penetration testing can be understood as demonstrating how a bad guy can gain access and what he would be able to steal.