fix: ignore security requirements when unsuccessful

[mefellows]

A general 404 can't be supported because the OAS doesn't have one (or does it?)

Are you saying that in the case a user doesn't define a 404 in the OAS, but expects one in the Pact it would fail the check? If so, that is sensible to me. We should only allow it to pass where an explicit status code exists in the OAS, I think.

[vwong]

As I understand OAS, you can attach responses to specific routes only, there is no catch-all route. So, if there is a 404 response for a given route, then we'll match it accordingly, but we can't catch-all 404s.