Wikipedia may not yet provide current information:
https://en.wikipedia.org/wiki/Security.txt

Examples:
https://www.ncsc.nl/.well-known/security.txt
https://www.sidn.nl/.well-known/security.txt
https://internet.nl/.well-known/security.txt

How my hosted sites use .htaccess:
Redirect 302 /.well-known/security.txt https://janwillemstegink.nl/.well-known/security.txt

And if legacy functionality is a requirement:
Redirect 302 /security.txt https://janwillemstegink.nl/.well-known/security.txt

For developers:

• A CMS can generate security.txt daily.
• A CMS could delete security.txt if still directly under public_html.
• In case of required legacy retrieval, redirection works.

I have asked internet.nl to report about a legacy security.txt anyway.
A file can contain previous confidential information.
Internet.nl could may be show test results such as:

• Information for legacy does not exist
• Only information for legacy exists
• The information for legacy is identical
• The information for legacy is not identical

Newly arisen issue:

‘Who is’ of a domain and DNS settings may happen to be someone else’s responsibility.
In this situation, security.txt might not point correctly.