Clemens, that’s a great question about goals vs. requirements.
Goals are the “why”. They describe overall purpose behind the project. There should only be a handful of 1–3 goals, or else it’s a sign the project’s motivations are getting muddled. Each goal should have a clear outcomes. The purpose of writing down goals is to over-communicate and ensure everyone is starting from the same base assumption.
Requirements are the “what.” These are more tactical. For just this specific project or phase, what are we agreeing we’ll be doing? What are the parameters and assumptions we’ll working within?
As to your last question, the two sections that I’ve found often take the longest or grow unexpectedly are “security” (which often stems from lacking an initial framework for weighing risks and mitigation strategies) and “roadmap” for huge projects where the future seems very murky and there is a lot of discovery left to do.