Make a Vulnerability a proper todo target

Currently we cannot search for todos on vulnerabilities and the GraphQL
endpoint errors out if it encounters a Todo on a vulnerability. Now both
should work just fine.

Changelog: fixed
EE: true