Follow-up from "Limit vulnerability management policy to 5 rules"

The following discussion from !172874 (merged) should be addressed:

• @arfedoro started a discussion: (+4 comments)

  Thank you @lorenzvanherwaarden

  For the sake of keeping this MR small, I suggest to update Merge request approval policy in a follow-up, what do you think?