A threat is any circumstance or event that has the potential to compromise confidentiality, integrity, or availability.
A vulnerability is a weakness. It can be a weakness in the hardware, software, configuration, or users operating the system.
A risk is the possibility of a threat exploiting a vulnerability and resulting in a loss.
Risk mitigation reduces risk by reducing the chances that a threat will exploit a vulnerability or by reducing the impact of the risk.
Security controls reduce risks. For example, antivirus software is a security control that reduces the risk of malware infection.