There's a regression in bandit 1.6.0 which causes bandit to stop
respecting excluded directories, and our tests throw a bunch of
violations. Blacklist this version, but allow newer versions as there is
already a pull request to fix it, and I expect it will be included in
the next release.
Also fix the requirements job which was broken by
https://review.opendev.org/657890 adding a cap on Sphinx on Python 2.
Co-Authored-By: Jake Yip <email@example.com>