The problems I see with the typical risk assessment are as follows:
Maintaining the list of assets updated
Maintaining the status of the treatments updated and the risk level coherent with that.
Maintaining the dependency of the assets in a way that irrelevant assets (like a server) have the real risk (due to the fact that that the server allows a critical process to run).
The problem I see is that when I finish the Excel the results are no longer relevant.