Update security policy and SLA (#16303)
Summary of the issue:
Update security policy to clarify when security issues are submitted, for each severity level, what is our SLA, how many resources do we allocate, when do we release the patch & advisory?
Description of user facing changes
Documentation only: Security policy
