This creates a CE security_reports store that is a subset of the EE
version. This subset is roughly the minimum necessary to render counts
on the CE security MR widget. See this [epic][1] for more details about
the overall direction.

The majority of this change is just existing code that's been moved
and/or refactored. The only _genuinely_ new piece of code is the new
store's entry point:
`app/assets/javascripts/vue_shared/security_reports/store/index.js`.

Since the CE version only supports SAST and Secret Detection, this MR
also refactored the getters to generalise over an array of report types,
rather than hard code them all into every getter. This means that these
getters can be shared as-is between CE and EE, and behave correctly due
to the `reportTypes` field added to the state of both stores. These
getters are tested in both CE and EE, to verify the different behaviour
based on the available report types.

The `noBaseInAllReports` getter turned out not to be used anywhere, so
it was deleted.

Two existing getters, `anyReportHasIssues` and `areAllReportsLoading`
didn't have tests, so tests were added for them in both CE and EE.

Since the getters now more explicitly depend on the report types
installed in the store, constants were extracted to make their
connection explicit, and reduce the chance that typos would lead to
runtime errors.

The vulnerability severity constants were moved to a common location in
CE.

The definitions of the `LOADING`, `SUCCESS` and `ERROR` constants were
deleted from the `security_reports` directory, since their definitions
already exist in the `~/reports/constants.js` file. These constants are
intended to be used with/by the `ReportSection` component, so it makes
sense not to redefine them elsewhere.

Part of https://gitlab.com/gitlab-org/gitlab/-/issues/273423.

[1]: https://gitlab.com/groups/gitlab-org/-/epics/4394