OK, it's not a bug. It's expected behavior. There will be an update to Books Online accordingly to clarify things.

Because securityadmin has the ability to grant any server permission, it is expected that it can grant CONTROL SERVER to a login. This isn't clearly explained in Books Online. Therefore, because securityadmin has the ability to create a login (and thereby know the login's password) and give that login CONTROL SERVER rights, securityadmin should be treated as sysadmin.

The fixed roles are included mainly for backward compatibility sake, and granular permissions are the recommended approach. Unfortunately, this doesn't give you everything, meaning you have to stay on top of things if you've got new databases being created because you've got to basically ensure that when a new one comes online, you've got to grant the granular permissions to connect to the database and create users. Here's basically the equivalent permissions to what you're probably seeking to do. Note that the database permissions have to be done on every database they should have the ability to control access to. Also, I'm only stopping at the CREATE USER stage. If you want to have said login be able to grant more, then additional permissions at the database level or below will be required.

CREATE LOGIN SomeLogin WITH PASSWORD = 'SomePassword!1234';

GO

GRANT ALTER ANY LOGIN TO SomeLogin;

GO

USE SomeDatabase;

GO

CREATE USER SomeLogin;

GO

GRANT ALTER ANY USER TO SomeLogin;

GO

Obviously, if you have Windows groups, use the appropriate syntax at the CREATE LOGIN level. Now to write this up sometime tonight as a blog post for tomorrow.