Risk management is exactly what the TSA isn't doing. They are taking a past threat and building security they *think* would protect the current system from it. Only, that's not really what they're doing.
If we had learned anything from 911 planes would takeoff manually, land and fly on autopilot with a remote operator ready to take over in case of automation failure. A co-pilot who can only take control if the remote override is toggled would suffice to prevent the entire situation of flying bomb. Now you think we can't do that? We can put a missile through a window at 500 feet above the ground, we can fly a large lumbering bird through clear skies to a known destination safely and eliminate the threat. We don't want to do that, since it would mean "the terrists" won. Instead we put on a kindergarden play and let strangers touch our no-no places.
And WWII warfare was not security theater, it was misdirection. Totally different. The TSA is telling the world what they're doing is real security, they're buying real security devices and creating completely irrelevant measures.
And yes there is nothing currently in place to stop another rectum bomber. And yes, we know what the risks are without these measures. We flew hundreds of thousands of flights since air liners started to be used as a weapon of terror in the 70s.
As a security professional I must say what the TSA does is a mockery of real security.