Originally Posted by tdracer

I'd take that one step further - the tendency is to evaluate failure conditions in isolation - i.e. MCAS malfunctions and puts in stab trim when it shouldn't - not as failure condition that results in multiple independent system faults.
I had dinner recently with several retired and active (but near retirement) Alaska 737 pilots. Naturally the recent MAX crashes came up. To a man they all agreed a simple MCAS malfunction resulting in unexpected stab trim inputs would immediately prompt them to turn the auto stab trim 'OFF'. Hence the understandable assessment that an MCAS failure wasn't flight critical.
However, MCAS failed because AOA was bad, which drove multiple related faults such as stick shaker, bad airspeed, and unexpected stab trim to due to MCAS - suddenly a complex and confusing combination of faults that could overwhelm a crew (and the lack of information and training just made it worse). Suddenly a no-big-deal MCAS problem is potentially catastrophic.
I did wrote several Failure Mode and Effects Analysis (FMEA) and System Safety Assessment (SSA) documents during my career. The key was to access 'and single failure or likely combinations of failures'. It's getting that second part right that seems to be lacking.