Update SAST docs with why we choose convention over configuration

Proposal

We often get questions around how to use a customer's existing or custom configuration for one of our preconfigured security scanners. In most cases the answer is that we do not recommend doing so, but we do not enumerate well why we do not or have a definitive source to point customers. We should update our docs or handbook with this explanation

See previous discussions gitlab-org/security-products/analyzers/semgrep!38 (comment 582115633) and https://gitlab.slack.com/archives/CLA54H7PY/p1627571557253100