Quantifying based on the formula
There is a massive misunderstanding in risk in general, and you are running into this misunderstanding.
That's not a formula!
Risk = Threat x Vulnerability x Information Value
describes a relationship between those factors. You are not supposed to drop numbers in there and come out with a quantitative result.
Note that there are other risk assessment "formulas", and your example is just one. Every assessment model has a place and is used in different contexts. They can also assess different kinds of risk. There are Inherent Risk and Residual Risk assessment models.
Scoring vulnerabilities
As for your example of two vulns with a CVSS score of 7.0, but they are in different risk contexts: the answer is that the scoring of the risks are different because they are in different contexts. The different contexts also likely mean that the threats are different, too. The vulnerability is not a risk in and of itself. The vulnerability can be assessed and scored independently of the risks. That's why there is a separate risk assessment process.
Many infosec professionals equate and confuse "vulnerability" with "risk", and will often swap one term with the other. But they are different ideas and the assessment model highlights that.
Where's Probability in the formula?
Risk = Threat x Vulnerability x Information Value
does not include any notion of probabilities/likelihoods. Probabilities are replaced by "threats" as it can be difficult to quantify probabilities of loss in information security. Quantifying threats is much easier and repeatable. So, likelihood gets rolled into the "threat" factor.
Estimating Threat
Threats are independent of vulnerabilities and impacts. Flooding is a threat, but if I live on a mountaintop, my vulnerability to flooding is really low and so is the impact. If I lived in a submarine, my vulnerability to flooding is high and so is the potential impact. So, you need to assess threats in context.
One way to do that is to assess the threat in relation to different impacts and segment the threats:
- What is the threat of rain causing interior water damage on the walls?
- What is the threat of rain causing an inch of water on the floor?
- What is the threat of rain filling a room with water?
- What is the threat of rain washing the house away?
By segmenting the threats, you can assess your risks with more sophistication and treat the different scenarios differently and more efficiently.