Re-enable pip-audit checks for torch CVEs once 2.9.0 is adopted

[romeokienzler]

The CI pip_audit job currently ignores the following vulnerabilities in .github/workflows/ci-build.yaml:

• PYSEC-2025-203 — torch 2.8.0 torch.linalg.lu slice DoS (fixed in 2.9.0)
• PYSEC-2025-204 — torch 2.8.0 rot90 + randn_like interaction (fixed in 2.9.0)
• PYSEC-2025-206 — torch 2.8.0 nan_to_num().long() integer overflow (fixed in 2.9.0)
• PYSEC-2026-139 — torch pt2 loading handler deserialization (no fix released yet)

Action items

• When torch is bumped to >=2.9.0, remove PYSEC-2025-203, PYSEC-2025-204, PYSEC-2025-206 from the ignore-vulns list.
• Periodically recheck upstream for a fix to PYSEC-2026-139 and remove it once a patched torch release is available.
• Audit torch.load / pt2 load sites and add weights_only=True (or equivalent) where checkpoints could come from untrusted sources, since PYSEC-2026-139 will remain unpatched for a while.