Answer: To calculate, or define, the values of threat and vulnerability you must consider historical / statistical data (either from the own organization or related to your industry) and the opinion of your personnel that better knows the assets and the process you are assessing. The information available will allow you either to calculate the values based on quantifiable data or adopt values based on the perception you and your team will have from the situation.
It is important to note that for ISO 27001 there is no need to assessing threats/vulnerabilities value to calculate the level of risk.
2. How to write the findings and recommendations in the assessment report with the overall risk rating and security ranking?
Answer: ISO 27001 does not require the findings of the assessment report to be linked directly with overall risk rating and security ranking (in fact include this correlation would result in a report excessively complex with little added value).
Regarding recommendations, for each finding the consultant should provide at least one or two recommendations on how to handle the situation (e.g., controls to minimize probability and/or impact of a risk occurring)
3. Kindly do let me know how to update the overall score and risk rating (Highlighted in Red box)
Answer: If by the the overall score and risk rating you mean the level of risk associated to the findings identified in the assessment, then the way to improve the score and the rating is to introduce controls which will decrease the risk, by handling the findings.