Prioritize vulnerability severity when resolving security finding

Given the decision not to update the severity of Security::Finding when overriding the severity of Vulnerability or Security::Finding for performance reasons, we should prioritize the severity from the related Vulnerability when resolving and serializing Security::Finding records.

When a Security::Finding is associated with a Vulnerability record, use the severity from the related Vulnerability. If no related Vulnerability exists, default to the severity of the Security::Finding.