Can’t say that I agree with that assertion. It’s not as overt in 21 CFR 820 as in 13485, but it’s there (nominally in Design Validation). And just because it’s not as overtly stated, there’s no question that the current state of the art (i.e., the ‘c’ in cGMP) is to take a risk-based approach. For any device with software (including minor level of concern), the guidance indicates a hazard analysis (with identified mitigations) is required. If you look at any of the later guidance docs (human factors, incorporating wireless, etc.), there are plenty of references to risk management.
I think to dismiss risk management completely would be a, well, risky approach.