Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source
These are the 'things' malicious hackers are looking for. They want to take advantage of these weaknesses present so they can breach your infrastructure. Vulnerabilities aren't a problem in just one area of Information Technology, but multiple areas you need to have an awareness. So what can have these issues or weaknesses? Computers, Servers, Applications, Buildings and people to name a few.
A program, or piece of code, designed to find and take advantage of a security flaw or vulnerability in an application or computer system, typically for malicious purposes such as installing malware.
An exploit is not the end deliverable, the exploit gets your foot a the door and then a malicious actor would drop in a payload. The payload is the actual code to do something. For example to steal data, run a cryptocurrency mining trojan, or turn your system in a proxy for further attacks or reconnaissance.
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
What could be a threat? Just about anything, but we usually talk about threats in nature, like tornadoes, hurricanes, wild fires, etc... and man-made threats like war, terrorism, malicious hackers, insider attackers, etc...