Set MR finding vulnerability state to `detected`

What does this MR do and why?

It is possible to create an issue from a security finding present on an MR via the pipeline security tab, or the MR security widget. These issues will need to be linked to a vulnerability, but for findings on an MR there may not be an existing vulnerability. In this case one is created.

This process has recently been migrated from REST to GraphQL. The GraphQL endpoint is incorrectly setting the created vulnerability status to confirmed. It should be detected. See #424830 (comment 1556151581) for discussion.

How to set up and validate locally

See the parent issue #424830 (closed) for verification instructions.

Related to #424830 (closed)