Re: CF disable-service-access broken
This is actually expected behavior. You can find documentation about service access here https://docs.cloudfoundry.org/services/access-control.html. It notes a limitation at the bottom.
"You cannot disable access to a service plan for an org if the plan is currently available to all orgs. You must first disable access for all orgs; then you can enable access for a particular org."
This is because service access works in two modes: 1) available to everybody. 2) available in a whitelist to specific organizations.
Service access does NOT work as a blacklist.
The example you posted shows it as available to all, which means it is in the first mode I listed. If you want more granular control, then you will need to disable access for all orgs, and then whitelist each org that should have access.