RAMPART-454 Document security / maintenance assumptions flagged by review

Add in-place comments at the three locations the Gemini review flagged
as HIGH/MEDIUM risk so the assumptions are enforced the next time
someone touches these files, without changing behaviour:

- modules/distribution/bin.xml: prepend a MAINTENANCE NOTE describing
  why the <excludes> list on the lib/ dependencySet exists (the dist
  must not duplicate jars already shipped in the Axis2 distribution)
  and what must be re-checked whenever ${axis2.version} or any
  transitive dep moves -- otherwise we re-introduce the httpcore5
  5.2.5 vs 5.4.2 style silent breakage.

- pom.xml: prepend a SECURITY NOTE to the <properties> block listing
  the checklist reviewers must follow when bumping wss4j / opensaml /
  xmlsec / bouncycastle: read every intermediate CVE release note
  (not just the newest), make sure no weak algorithm or key size gets
  re-introduced as a default, and re-run the policy samples.

- RampartUtil.validateTransport: expand the inline comment at the
  jakarta.servlet.request.X509Certificate lookup site to name the
  Servlet-spec contract we're relying on and explicitly state that
  re-validation of the chain is the transport listener's job, not
  ours. The Javadoc on the method already documented the attribute
  name; this makes the responsibility split visible at the call site.