Unfortunately, after a lot of discussion, I think this is the only solution, which I've put in IdeaStream;
I think the problem is that the App_Administrators group is a member of the default Administrators group. Members of the default Administrators group have access to 'nearly' everything and exclude groups do not remove those permissions. As far as I know, 'nearly' means that Administrators do not automatically inherit permission to security groups that are applied to items that default to Nobody. The 3 ManageSystemSecurity tasks default to Nobody so Administrators have to be explicitly given access to these groups. So your security model is giving App_Administrators access to them and then excluding them. I would look at removing App_Administrators from the Administrators group and instead give them the Application role AdministerApplication. That should give them the same access as Administrators to the Application items (and the added bonus is they can't change their own security). Then add the System roles that the App_Administrators need - start from nothing and add rather than start from everything and remove.
In my opinion the standard way of configuring security (i.e. one security group applied to more than one securable item as in your case Exclude_App_Administrators) is inflexible and confusing. If you want another way of doing security have a look at this page. It is a link to my blog.
