mk: do not check vulnerability when just fetching distfiles

This is intended to reduce the log output on ftp.NetBSD.org when
fetching all distfiles.

Also, we call the target in basically every step of package creation
(extract, patch, configure, build, install, package) - perhaps we should trim
this down some more.

(wiz)