Re-organize to group advisories by year instead of by package

[mbauman]

... and we also need to preserve the "one advisory per upstream/alias source advisory" best practice. Grouping into packages makes that harder. This also simplifies advisory lookup and provides a direct link to the source.

This follows from what Haskell is working to do: haskell/security-advisories#293