Update far_reaching_impact_fixes_or_breaking_change_fixes.md

We should make it clear that an S1 or S2 security issue must go through the security release process with backports and proper CVE identifiers, and can not be changed into a feature enhancement. This stems from a recent issue where I mistakenly approved changing an S2 vulnerability, which would otherwise have a breaking change, into a featureenhancement. Original discussion in Slack thread.