https://github.com/phan/phan/blob/master/.phan/plugins/UnusedSuppressionPlugin.php is an upstream plugin that does this, but we'd just want it to warn about SecurityCheck-* ones.
This would have caught https://gerrit.wikimedia.org/r/457074 for example.