I thought the talk at Defcon by Chris Rock around exploiting the flaws in the deaths and births registration process was very good.
More interesting than the technical aspects are the potential nefarious use-cases such as committing virtual mass-murder, or raising virtual babies for the purposes of insurance fraud, second identities and much more.
This is important because far too often people will focus on the technical bugs and issues and discount them because they may not see the broader impact and potential for harm. It does boil down to risk assessment and how risk is articulated. There are many times I’ve seen a penetration test report where the tester has picked up the technical vulnerability, but failed to fully understand the real business impact and labelled something as posing potential reputitional risk. Only when you tie together all the pieces can the true impact be seen.