Is IA Becoming Mostly Complex?

Trend Micro's decision to stop seeking VB100 certification for its security product triggered these observations about IA in general:

• Events that are part of repeatable cause-effect relationships can be anticipated. This implies that it is likely we can gather data, perform analysis, and make good decisions based on that. In case you haven't recognized it, this is Knowable terrain (Cynefin taxonomy).
• To the degree that threats and threat mitigation capabilities are Knowable, it seems reasonable that de facto (or even de jure) metrics could be created to assess both areas.
• To the degree that threats and threat mitigation capabilities are Complex, it seems that traditional metrics are unlikely to be effective (though, as Dave Snowden has discussed, there are pattern-oriented approaches to traversing Complex space).

I wonder if Trend Micro has decided that the anti-malware domain has become largely Complex and that traditional measurement approaches are not only misleading, they're increasingly dangerous.

Or maybe I'm just projecting....