This is very confusing requirements in new standards. There are thousands issues in a company. How many of them to be included in risk analysis? You can never satisfy an auditor.
This is worst requirements of QMS. The theory of risk based thinking and issues has replaced 'preventive actions' of previous versions. But considerations could have been given how it would be effectively implemented before including this concept in new standards.
Yes, auditor have a got a good weapon in form of clause 4.1 to raise NCs. Even if you identify 5000 issues, they will tell you one more from your company and that too, in form of NC.