Personally I've always found "risks" in product roadmap tend to not be great. There's often no risks for 80 percent of the project then at the end we'll discover blockers and risks from teams who weren't (or weren't thoroughly) consulted. It's really hard to know and communicate with all the stakeholders in these complex organizations.
Most of the time risk analysis as it's done today is completely useless, as we tend to be pretty bad at risk assessment in general, and that is even worse in most organizations. Barry O'Reilly has a great talk on the topic somewhere on YouTube
You are right, as a civilisation we have no idea how to do risk assessment, and often when sh*t hits the fan, it is something we can't do anything about. At the current rate it is better to NOT do any risk analysis, and just be prepared for the worse case scenario.
