I don't agree. I don't think you fully understand the linkage from the "Context" to the "Planning" requirements. You most certainly Do Not have to do risk assessments for all processes, according to the standard (it's simply not stated) and, hence, if your auditor left you with that NC or understanding, they are similarly incorrect.
Let me help you out: If, in understanding the internal and external issues which can affect the QMS (4.1) you determine that there's a risk in not finding sufficient skilled workers (a common theme here in the USA), your organization may chose to create a program to train their own skilled workforce. Now, looking at 6.1, the planning should address the QMS to create that training programme, since it's unlikely that your current training procedure is sufficient... Someone needs to decide to work on it, how long it will take, who else it will involve, know when it's working etc. That's how it's supposed to work.
Let me help you out: If, in understanding the internal and external issues which can affect the QMS (4.1) you determine that there's a risk in not finding sufficient skilled workers (a common theme here in the USA), your organization may chose to create a program to train their own skilled workforce. Now, looking at 6.1, the planning should address the QMS to create that training programme, since it's unlikely that your current training procedure is sufficient... Someone needs to decide to work on it, how long it will take, who else it will involve, know when it's working etc. That's how it's supposed to work.