Some warning message could be shown when type:"security" is selected, but if security issues are not supposed to go through the tracker maybe that type shouldn't exist in the first place.
A fixed message in the issue creation page might be OK too, as long as it is not too invasive.  Adding some instructions to the devguide is definitly OK.

BTW, a more effective and already available way to "hide" those messages is to mark them as spam -- but that's just an ugly workaround.