Use semver for Secure stage analyzers

What does this MR do and why?

While thinking about Create process for fixing bugs in sast-rules (#464264), I realized we are currently unable to come up with meaningful bugfix version numbers because we are abusing the Patch part of the version to ship minor features.

This MR makes our use of versions closer to semver.org recommendations, so that only bugfixes will increment Patch.

It also clarifies that we increment Major only in sync with Major GitLab releases.