Don't show Status "fixed" for CVEs that never affected that release

Take https://security-tracker.debian.org/tracker/CVE-2025-5399 for example, this vulnerability never affected bullseye and bookworm because the vulnerability was introduced later.

The problem is that the security-tracker shows the vulnerability as fixed under Vulnerable and fixed packages.

I've had someone reaching out to me in the past to ask about this as they were confused due to not understanding whether a fix was ever pushed.