read_vulnerability custom role currently doesn't grant the access_security_and_compliance permission

See !128921 (comment 1514264829) for additional context, the read_vulnerability was recently added to view vulnerability reports which doesn't require access_security_and_compliance to view, but should be added to ensure the respective menu items are displayed correctly. This should address 1. and 3. indicated in the original MR.

1. The vulnerability report does not require :access_security_and_compliance to view, so the remaining menu items have been hidden when using the :read_vulnerability custom role because the user does not have :access_security_and_compliance.
2. The :read_vulnerability custom role currently doesn't grant the :access_security_and_compliance ability when it should.